chore: remove libgnutls30 from Docker runtime image#214
Merged
Conversation
libgnutls30 is present in node:22-slim as a transitive dependency of apt, which is not needed at runtime. Node.js uses OpenSSL for TLS, not gnutls. Force-remove it after all apt operations are complete. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
![prisma-cloud-devsecops[bot]](https://avatars.githubusercontent.com/in/135857?s=60&v=4){kind=small}
| @@ -1,5 +1,9 @@ | |||
| FROM node:22-slim | |||
|
|
|||
| # Remove gnutls from the runtime image. libgnutls30 is only depended on by apt, | |||
There was a problem hiding this comment.
perl 5.36.0-7+deb12u3 / Dockerfile.FROM
Total vulnerabilities: 3
| Critical: 0 | High: 3 | Medium: 0 | Low: 0 |
|---|
| Vulnerability ID | Severity | CVSS | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-48961 |  HIGH |
7.3 | - |
Open |
| CVE-2026-48962 | HIGH |
7.3 | - |
Open |
| CVE-2026-48959 | HIGH |
7.5 | - |
Open |
Contributor
Author
There was a problem hiding this comment.
existing issue, not induced by current PR
zmofei
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
libgnutls30from thenode:22-slimruntime image. The package is present in the Debian slim base solely as a dependency ofapt. Sinceaptis not needed at runtime,libgnutls30can be force-removed after all package operations are complete without affecting the running server.Node.js uses OpenSSL for TLS —
libgnutls30is not called by any code path in this server and was an unused transitive system dependency.Test plan
docker build .completes without errors;libgnutls30removal is confirmed in build outputdocker run --rm <image> sh -c "cd /app && npm test")initialize+tools/listhandshake completes; all 28 tools register correctlysearch_and_geocode_tool,reverse_geocode_tool, anddirections_tool— all returned correct resultssearch_and_geocode_tool — forward geocode "Eiffel Tower, Paris"
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"search_and_geocode_tool","arguments":{"q":"Eiffel Tower, Paris"}}}Returned multiple ranked results including the Eiffel Tower in Paris, France with correct coordinates.
reverse_geocode_tool — coordinates 40.7484, -73.9857
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"reverse_geocode_tool","arguments":{"longitude":-73.9857,"latitude":40.7484}}}Returned:
directions_tool — driving route SF → Oakland
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"directions_tool","arguments":{"coordinates":[{"longitude":-122.4194,"latitude":37.7749},{"longitude":-122.2712,"latitude":37.8044}],"routing_profile":"mapbox/driving"}}}Returned a route via I-80 East, duration 1522s, distance 19848m, average speed 66 kph.
Notes
libgnutls30is removed withdpkg --remove --force-dependsbecauseaptlists it as a dependency. This is safe post-build:aptis not used at container runtime and the server has no dependency on gnutls.