Remove npm from release stage (#175)

* Fix semver vulnerability in base image by removing npm from release stage, since the version of npm in the base image had a vulnerability in the semver dependency * Target release stage explicitly in make release-build --------- Co-authored-by: Sawyer Hollenshead <[email protected]>
navapbc · Jul 13, 2023 · 7778fc8 · 7778fc8
1 parent 1f97de5
commit 7778fc8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 4 deletions.
diff --git a/app/Dockerfile b/app/Dockerfile
@@ -1,7 +1,7 @@
 # This file is largely based on the template-application-flask Dockerfile and
 # Next.js Docker example: https://github.com/vercel/next.js/blob/canary/examples/with-docker-compose
 # =============================================================================
-FROM node:18-alpine AS base
+FROM node:18-bullseye-slim AS base
 WORKDIR /app
 
 # Install dependencies
@@ -56,9 +56,13 @@ RUN npm run build -- --no-lint
 # Run the Next.js server
 # =====================================
 # Use clean image for release, excluding any unnecessary files or dependencies
-FROM node:18-alpine AS release
+FROM node:18-bullseye-slim AS release
 WORKDIR /app
 
+# Release stage doesn't have a need for `npm`, so remove it to avoid 
+# any vulnerabilities specific to NPM
+RUN npm uninstall -g npm
+
 # Don't run production as root
 RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
@@ -81,4 +85,4 @@ ENV PORT 3000
 
 EXPOSE 3000
 
-CMD ["node", "server.js"]
+CMD ["node", "server.js"]
diff --git a/app/Makefile b/app/Makefile
@@ -27,6 +27,7 @@ export RUN_UID
 ##################################################
 release-build:
 	docker buildx build \
+	  --target release \
 		--platform=linux/amd64 \
 		--build-arg RUN_USER=$(RUN_USER) \
 		--build-arg RUN_UID=$(RUN_UID) \
@@ -45,4 +46,4 @@ storybook: # Run the Storybook local dev server in Docker
 	docker compose logs --follow storybook
 
 stop:
-	docker-compose down
+	docker-compose down