chore: fix security vulnerabilities

[pratapalakshmi]

Summary by CodeRabbit

• Security Updates

  • Updated urllib3 and fast-uri to address security vulnerabilities.
  • Updated Caddy (2.11.3) and nginx (1.29-alpine) base images.
  • Suppressed false-positive CVE findings.

• Chores

  • Optimized container images across services by updating Alpine packages and removing unnecessary build artifacts.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR hardens the application security posture across multiple layers: suppressing a documented CVE false positive with Trivy, pinning vulnerable dependency versions, upgrading base images with security patches, removing unused build tools and vulnerable bundled modules from runtime images, and adding proxy modules for enhanced capabilities.

Changes

Dependency and Docker Image Security Hardening

Layer / File(s)	Summary
Dependency and Trivy CVE Management .trivyignore, apps/api/requirements/base.txt, package.json	Adds .trivyignore entry documenting CVE-2026-30242 as a false positive with version-scheme clarification, pins urllib3>=2.7.0 to address CVEs, and enforces fast-uri>=3.1.2 via pnpm overrides.
Nginx-Based Services Alpine Hardening apps/admin/Dockerfile.admin, apps/web/Dockerfile.web	Updates nginx base images (nginx:1.29-alpine) and adds Alpine package update and upgrade steps with cache cleanup during production image builds.
Node.js Runtime Hardening: Tool and Module Removal apps/live/Dockerfile.live, apps/space/Dockerfile.space	Hardens runtime images by removing Go tooling, vulnerable picomatch npm module, and build-only binaries (esbuild, tsgolint); apps/space sets NODE_ENV=production explicitly.
Caddy Proxy Builder Upgrades and Hardening apps/proxy/Dockerfile.ce	Upgrades Caddy from 2.10.0 to 2.11.3, adds modules for go-jose, grpc, and OpenTelemetry support, and hardens runtime stage with Alpine package updates.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit hops through Docker rows, 🐰
Patching deps and trimming foes—
Go binaries flee, CVEs suppressed with care,
Caddy sings at 2.11.3, light as alpine air!
Security hardens, one layer at a time. ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, failing to include any of the required template sections such as Description, Type of Change, or References.	Add a complete pull request description following the repository template, including details about the vulnerabilities fixed, type of change, and any relevant issue references.
Title check	❓ Inconclusive	The title 'chore: fix security vulnerabilities' is vague and generic, using non-descriptive terms that don't convey meaningful information about the specific vulnerabilities being addressed.	Consider making the title more specific by mentioning key vulnerabilities or changes, such as 'chore: fix CVE-2026-30242 and update vulnerable dependencies' or similar.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

apps/space/Dockerfile.space (1)

83-95: 🏗️ Heavy lift

Clarify npx dependency after removing bundled picomatch

• npx doesn’t need the picomatch package from npm’s bundled modules to execute an already-present local binary (it resolves binaries via node_modules/.bin/PATH), so removing /usr/local/lib/node_modules/npm/node_modules/picomatch is unlikely to break npx react-router-serve.
• Keep a small container build/runtime smoke test in CI (e.g., npx react-router-serve --help) to catch any unexpected coupling in this specific image.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/space/Dockerfile.space` around lines 83 - 95, Remove the bundled
picomatch deletion uncertainty by adding a CI smoke test that verifies npx can
still run local binaries after the RUN rm -rf
/usr/local/lib/node_modules/npm/node_modules/picomatch step; specifically, after
the image build run a container that executes a help command such as `npx
react-router-serve --help` (or an equivalent locally-installed binary) to ensure
npx resolves node_modules/.bin correctly and fails the build if the command
errors, and document this test alongside the Dockerfile change referencing the
rm -rf removal of npm/node_modules/picomatch.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/space/Dockerfile.space`:
- Around line 83-95: Remove the bundled picomatch deletion uncertainty by adding
a CI smoke test that verifies npx can still run local binaries after the RUN rm
-rf /usr/local/lib/node_modules/npm/node_modules/picomatch step; specifically,
after the image build run a container that executes a help command such as `npx
react-router-serve --help` (or an equivalent locally-installed binary) to ensure
npx resolves node_modules/.bin correctly and fails the build if the command
errors, and document this test alongside the Dockerfile change referencing the
rm -rf removal of npm/node_modules/picomatch.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 931af457-e3c6-4273-9c4c-ea337d57168a

📥 Commits

Reviewing files that changed from the base of the PR and between 9f77ea5 and 893f528.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (8)

• .trivyignore
• apps/admin/Dockerfile.admin
• apps/api/requirements/base.txt
• apps/live/Dockerfile.live
• apps/proxy/Dockerfile.ce
• apps/space/Dockerfile.space
• apps/web/Dockerfile.web
• package.json