fix(docker): apk upgrade in production stage to clear inherited CVEs

Trivy's image scan flagged nghttp2-libs CVE-2026-27135 (HTTP/2 DoS), inherited from nginx:alpine. The fix exists in Alpine's repos (1.68.1) but the base image's pinned tag is still on 1.68.0-r0. Run `apk upgrade --no-cache` in the production stage to pull current security fixes from Alpine, then install gettext as before. This keeps us current with Alpine security patches independent of how fast the upstream nginx:alpine tag rebuilds. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 11:43:59 -07:00
parent ebb2d9a2c5
commit 0d674f6adc
1 changed files with 3 additions and 1 deletions
@@ -19,7 +19,9 @@ RUN npm run build
 # --- Production stage ---
 FROM nginx:alpine AS production
-RUN apk add --no-cache gettext
+# Pull current security fixes for OS packages inherited from the base image
 # (e.g. nghttp2-libs CVE-2026-27135), then install envsubst for runtime config.
 RUN apk upgrade --no-cache && apk add --no-cache gettext
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 COPY docker/config.js.template /etc/nginx/templates/config.js.template