From f82743132d25f69137c1c6820a50c43d7cf2b95c Mon Sep 17 00:00:00 2001 From: Karan Thakkar Date: Sun, 18 Jan 2026 16:59:26 +0000 Subject: [PATCH 1/4] fix: patch CVE-2026-23745 and upgrade OS packages --- Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 84e412f..cf8af1c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -39,14 +39,17 @@ FROM node:20-slim as api WORKDIR /app # Install runtime dependencies for node-canvas (Debian) -RUN apt-get update && apt-get install -y \ +RUN apt-get update && apt-get upgrade -y && apt-get install -y \ libcairo2 \ libpango-1.0-0 \ libpangocairo-1.0-0 \ libjpeg62-turbo \ libgif7 \ librsvg2-2 \ - && npm install -g npm@latest \ + && npm install -g tar@7.5.3 \ + && rm -rf /usr/local/lib/node_modules/npm/node_modules/tar \ + && cp -r /usr/local/lib/node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ \ + && rm -rf /usr/local/lib/node_modules/tar \ && rm -rf /var/lib/apt/lists/* COPY package*.json ./ From 44c10eb0d01e3fe0e22ae005dc9cb9b2e50f7cdc Mon Sep 17 00:00:00 2001 From: Karan Thakkar Date: Sun, 18 Jan 2026 17:09:43 +0000 Subject: [PATCH 2/4] fix: update npm to latest and patch tar to fix all vulnerabilities --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index cf8af1c..af2661a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -46,6 +46,7 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \ libjpeg62-turbo \ libgif7 \ librsvg2-2 \ + && npm install -g npm@latest \ && npm install -g tar@7.5.3 \ && rm -rf /usr/local/lib/node_modules/npm/node_modules/tar \ && cp -r /usr/local/lib/node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ \ From 2c527f5018695ccc0e778adbf8cb615638d5b5ee Mon Sep 17 00:00:00 2001 From: Karan Thakkar Date: Sun, 18 Jan 2026 17:19:48 +0000 Subject: [PATCH 3/4] fix: aggressively clean npm cache to prevent false positives --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index af2661a..8113808 100644 --- a/Dockerfile +++ b/Dockerfile @@ -51,6 +51,8 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \ && rm -rf /usr/local/lib/node_modules/npm/node_modules/tar \ && cp -r /usr/local/lib/node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ \ && rm -rf /usr/local/lib/node_modules/tar \ + && rm -rf /root/.npm \ + && rm -rf ~/.npm \ && rm -rf /var/lib/apt/lists/* COPY package*.json ./ @@ -61,7 +63,8 @@ COPY --from=builder /app/src ./src COPY --from=builder /app/tsconfig.json ./ # Install tsx globally -RUN npm install -g tsx +RUN npm install -g tsx \ + && rm -rf /root/.npm USER node EXPOSE 3000 From 2ab298d9b028e7fc7d0630b07857bd2ee630d658 Mon Sep 17 00:00:00 2001 From: Karan Thakkar Date: Sun, 18 Jan 2026 17:29:24 +0000 Subject: [PATCH 4/4] ci: improve trivy logging by printing table to console --- .github/workflows/release.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8c3d52c..b3839ef 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -68,7 +68,17 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - exit-code: '1' # Fail the build on vulnerability + exit-code: '0' # Don't fail yet, just generate report + trivyignores: .trivyignore + ignore-unfixed: true + + - name: Run Trivy vulnerability scanner (Console Output) + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} + format: 'table' + severity: 'CRITICAL,HIGH' + exit-code: '1' # Fail here to stop the build trivyignores: .trivyignore ignore-unfixed: true