Patch Alpine packages in the frontend image

Trivy flagged 33 HIGH/CRITICAL CVEs on the frontend image, all in OS packages on the alpine 3.21.3 base that nginxinc/nginx-unprivileged:1.27 ships (libcrypto3, libssl3, libpng, libxml2, libexpat, musl, nghttp2, zlib). The fixes are all backported into Alpine 3.21's package repo; the base image just hadn't been rebuilt since they landed. Run `apk upgrade --no-cache` in the runtime stage to pull the patched -r versions before installing gettext. Keeps the nginx version pinned at 1.27 (stable) while picking up Alpine's security-only patches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 16:33:01 -07:00
parent 857856fe4e
commit 0e19be221a
1 changed files with 6 additions and 1 deletions
@@ -19,7 +19,12 @@ RUN pnpm --filter tehriehlbudget-frontend run build

 FROM nginxinc/nginx-unprivileged:1.27-alpine AS runtime
 USER root
-RUN apk add --no-cache gettext
+# Pull current Alpine package patches before adding anything else. The
+# base image lags behind upstream Alpine's security backports (openssl,
+# libxml2, libpng, musl, etc. were all flagged HIGH/CRITICAL on the
+# stock 3.21.3 packages). `apk upgrade` picks up the fixed -r versions
+# without bumping the nginx version itself.
+RUN apk upgrade --no-cache && apk add --no-cache gettext
 COPY --from=build --chown=nginx:nginx /repo/tehriehlbudget-frontend/dist /usr/share/nginx/html
 COPY --chown=nginx:nginx tehriehlbudget-frontend/nginx.conf            /etc/nginx/conf.d/default.conf
 COPY --chown=nginx:nginx tehriehlbudget-frontend/docker-entrypoint.sh  /docker-entrypoint.d/40-render-config.sh