From 0d674f6adc4db03ab994d938969286141590bfc2 Mon Sep 17 00:00:00 2001
From: Kevin Riehl <kevinriehl@gmail.com>
Date: Wed, 13 May 2026 11:43:59 -0700
Subject: [PATCH] fix(docker): apk upgrade in production stage to clear
 inherited CVEs

Trivy's image scan flagged nghttp2-libs CVE-2026-27135 (HTTP/2 DoS),
inherited from nginx:alpine. The fix exists in Alpine's repos
(1.68.1) but the base image's pinned tag is still on 1.68.0-r0.

Run `apk upgrade --no-cache` in the production stage to pull current
security fixes from Alpine, then install gettext as before. This
keeps us current with Alpine security patches independent of how
fast the upstream nginx:alpine tag rebuilds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index b6a824f..15fa847 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,7 +19,9 @@ RUN npm run build
 
 # --- Production stage ---
 FROM nginx:alpine AS production
-RUN apk add --no-cache gettext
+# Pull current security fixes for OS packages inherited from the base image
+# (e.g. nghttp2-libs CVE-2026-27135), then install envsubst for runtime config.
+RUN apk upgrade --no-cache && apk add --no-cache gettext
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY docker/config.js.template /etc/nginx/templates/config.js.template