TehRiehlDeal
2fd628e663
backend-ci / secrets-scan (push) Successful in 4s
backend-ci / sast (push) Successful in 7s
backend-ci / fs-scan (push) Successful in 12s
backend-ci / typecheck (push) Successful in 22s
backend-ci / test (push) Successful in 23s
backend-ci / lint (push) Successful in 27s
backend-ci / build (push) Successful in 1m22s
backend-ci / push (push) Has been skipped
Trivy's image scan flagged picomatch CVE-2026-33671 (ReDoS via crafted extglob patterns) in the npm CLI bundled inside node:22-alpine (/usr/local/lib/node_modules/npm/node_modules/picomatch). Our app's own picomatch is clean — only npm's vendored copy is vulnerable, and upstream npm hasn't shipped a fixed bundle yet. The production container only needs `node` and the prisma CLI binary at runtime. Switch entrypoint.sh from `npx prisma migrate deploy` to calling ./node_modules/.bin/prisma directly, then delete the bundled npm/yarn/corepack trees in the production stage. This removes the vulnerable file rather than waiting on the upstream base image. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>