-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathDockerfile
More file actions
140 lines (116 loc) · 5.45 KB
/
Dockerfile
File metadata and controls
140 lines (116 loc) · 5.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# =============================================================================
# R2 Bucket Manager - Cloudflare Workers Deployment
# =============================================================================
# Multi-stage build for optimal image size and security
# Production-ready image: ~150MB
# =============================================================================
# -----------------
# Stage 1: Builder
# -----------------
FROM node:24-alpine AS builder
WORKDIR /app
# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest
# Patch npm's own dependencies (P111 - keep versions in sync with package.json overrides)
# - [email protected]: CVE-2025-64756
# - [email protected]: CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960
# - [email protected]: CVE-2026-27904, CVE-2026-27903 (ReDoS)
# - [email protected]: Method injection logic in POSIX Character Classes
# npm bundles vulnerable transitive deps - we replace them with patched versions using a robust layout-agnostic approach
RUN cd /tmp && \
npm pack [email protected] && \
npm pack [email protected] && \
npm pack [email protected] && \
npm pack [email protected] && \
tar -xzf glob-11.1.0.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "glob" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf tar-7.5.11.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "tar" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf minimatch-10.2.5.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "minimatch" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf picomatch-4.0.4.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "picomatch" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf /tmp/*
# Install build dependencies
RUN apk add --no-cache \
python3 \
make \
g++
# Copy package files
COPY package*.json ./
# Install ALL dependencies (including devDependencies for build)
RUN npm ci --include=dev
# Copy source code
COPY . .
# Build the application
RUN npm run build
# -----------------
# Stage 2: Runtime
# -----------------
FROM node:24-alpine AS runtime
WORKDIR /app
# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest
# Patch npm's own dependencies (P111 - keep versions in sync with package.json overrides)
# - [email protected]: CVE-2025-64756
# - [email protected]: CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960
# - [email protected]: CVE-2026-27904, CVE-2026-27903 (ReDoS)
# - [email protected]: Method injection logic in POSIX Character Classes
# npm bundles vulnerable transitive deps - we replace them with patched versions using a robust layout-agnostic approach
RUN cd /tmp && \
npm pack [email protected] && \
npm pack [email protected] && \
npm pack [email protected] && \
npm pack [email protected] && \
tar -xzf glob-11.1.0.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "glob" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf tar-7.5.11.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "tar" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf minimatch-10.2.5.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "minimatch" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf package && \
tar -xzf picomatch-4.0.4.tgz && \
find /usr/local/lib/node_modules/npm -type d -name "picomatch" -exec sh -c 'rm -rf "$1"/* && cp -r package/* "$1"/' _ {} \; && \
rm -rf /tmp/*
# Install runtime dependencies only
# Security Notes:
# - Application runtime dependencies: refer to package-lock.json. (devDependencies are not installed)
# - npm CLI bundled dependencies: [email protected], [email protected], [email protected], [email protected] (manually patched in npm's installation via P111 via layout-agnostic strategy)
# - Precautionary overrides: flatted, brace-expansion
# - curl 8.17.0-r1 has CVE-2025-14819, CVE-2025-14524, CVE-2025-14017 (MEDIUM)
# Fix version 8.18.0-r0 not yet available in Alpine repos (upstream availability gap)
# - busybox has CVE-2025-46394 & CVE-2024-58251 (LOW) with no fixes available yet
# These are accepted upstream risks - will upgrade when Alpine publishes patched packages
RUN apk add --no-cache \
curl \
ca-certificates
# Create non-root user for security
# Note: Alpine Linux uses GID 1000 for 'users' group, so we use a different GID
RUN addgroup -g 1001 app && \
adduser -D -u 1001 -G app app
# Copy package files
COPY package*.json ./
# Install production dependencies only
RUN npm ci --omit=dev && \
npm cache clean --force
# Copy built application from builder
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/worker ./worker
COPY --from=builder /app/wrangler.toml.example ./wrangler.toml.example
# Set ownership to non-root user
RUN chown -R app:app /app
# Switch to non-root user
USER app
# Expose Wrangler dev server port
EXPOSE 8787
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8787/health || exit 1
# Default command: Run Wrangler in development mode
# Override with specific commands for production deployment
CMD ["npx", "wrangler", "dev", "--ip", "0.0.0.0", "--port", "8787"]