From 5fdf5dd951c413cbd5643cea06d973dfd02b0c49 Mon Sep 17 00:00:00 2001
From: Karan Thakkar <karant.dev@gmail.com>
Date: Sat, 13 Dec 2025 22:02:52 +0000
Subject: [PATCH] fix(ci): upgrade packages to resolve trivy failures

---
 .github/workflows/release.yml | 19 ++++++++++---------
 Dockerfile                    |  3 ++-
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2b53465..3c01db1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -59,24 +59,17 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          generate_release_notes: true
-          files: |
-            CHANGELOG.md
-
       # 2. Scan Local Image with Trivy
       # Fail if Critical/High vulnerabilities are found
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.29.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
           exit-code: '1' # Fail the build on vulnerability
+          trivyignores: .trivyignore
           ignore-unfixed: true
 
       - name: Upload Trivy scan results to GitHub Security tab
@@ -105,3 +98,11 @@ jobs:
           DIGEST: ${{ steps.build-and-push.outputs.digest }}
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          generate_release_notes: true
+          files: |
+            CHANGELOG.md
+
diff --git a/Dockerfile b/Dockerfile
index d7cfc48..84e412f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ FROM node:20-slim as builder
 WORKDIR /app
 
 # Install build dependencies for node-canvas (Debian)
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get upgrade -y && apt-get install -y \
   build-essential \
   libcairo2-dev \
   libpango1.0-dev \
@@ -46,6 +46,7 @@ RUN apt-get update && apt-get install -y \
   libjpeg62-turbo \
   libgif7 \
   librsvg2-2 \
+  && npm install -g npm@latest \
   && rm -rf /var/lib/apt/lists/*
 
 COPY package*.json ./