From 5103a9e8519eb5a9cb77e78fc5ce0f6fc4c5783d Mon Sep 17 00:00:00 2001 From: Valentin Salmanovicius Date: Mon, 15 Jun 2026 10:50:29 +0100 Subject: [PATCH] chore: migrate Docker base image from node:22-slim to node:22-alpine Switches the base image to Alpine, which uses OpenSSL and omits the gnutls library entirely, removing a class of OS-level package vulnerabilities carried by the Debian slim image. Also replaces `npm install` with `npm ci` for lockfile-exact, reproducible installs in Docker builds. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- CHANGELOG.md | 4 ++++ Dockerfile | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ef1dcc..7d4658a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ ## Unreleased +### Changed + +- **Docker**: Migrate base image from `node:22-slim` (Debian Bookworm) to `node:22-alpine`. Alpine carries no gnutls library and uses OpenSSL directly, removing a class of OS-level package vulnerabilities present in the Debian slim image. Also swaps `npm install` for `npm ci` in the install step for reproducible, lockfile-exact builds. + ## 0.12.3 - 2026-06-11 ### Changed diff --git a/Dockerfile b/Dockerfile index 1c3a6f7..b939a90 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22-slim +FROM node:22-alpine # Upgrade npm to fix CVE-2026-33750 (brace-expansion < 2.0.3 bundled in npm 10.x) RUN npm install -g npm@11.16.0 @@ -10,7 +10,7 @@ WORKDIR /app COPY package*.json ./ # Install dependencies - completely skip prepare scripts during Docker build -RUN npm install --ignore-scripts +RUN npm ci --ignore-scripts # Copy the rest of the application COPY . .