TehRiehlDeal/movieloop-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d674f6adc4db03ab994d938969286141590bfc2
movieloop-frontend/Dockerfile
T
TehRiehlDeal 0d674f6adc
frontend-ci / typecheck (push) Failing after 5s
Details
frontend-ci / secrets-scan (push) Successful in 5s
Details
frontend-ci / fs-scan (push) Successful in 11s
Details
frontend-ci / sast (push) Successful in 13s
Details
frontend-ci / lint (push) Successful in 15s
Details
frontend-ci / build (push) Has been skipped
Details
frontend-ci / push (push) Has been skipped
Details
fix(docker): apk upgrade in production stage to clear inherited CVEs 
Trivy's image scan flagged nghttp2-libs CVE-2026-27135 (HTTP/2 DoS),
inherited from nginx:alpine. The fix exists in Alpine's repos
(1.68.1) but the base image's pinned tag is still on 1.68.0-r0.

Run `apk upgrade --no-cache` in the production stage to pull current
security fixes from Alpine, then install gettext as before. This
keeps us current with Alpine security patches independent of how
fast the upstream nginx:alpine tag rebuilds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 11:43:59 -07:00

32 lines
1.1 KiB
Docker
Raw Blame History

# --- Dev stage ---
FROM node:22-alpine AS dev
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
EXPOSE 5173
CMD ["npm", "run", "dev", "--", "--host"]
# --- Build stage ---
# No VITE_API_URL build arg: the production image uses runtime config (/config.js)
# rendered at container startup. See docker/40-render-config.sh.
FROM node:22-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# --- Production stage ---
FROM nginx:alpine AS production
# Pull current security fixes for OS packages inherited from the base image
# (e.g. nghttp2-libs CVE-2026-27135), then install envsubst for runtime config.
RUN apk upgrade --no-cache && apk add --no-cache gettext
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY docker/config.js.template /etc/nginx/templates/config.js.template
COPY docker/40-render-config.sh /docker-entrypoint.d/40-render-config.sh
RUN chmod +x /docker-entrypoint.d/40-render-config.sh
EXPOSE 80
# nginx:alpine's upstream entrypoint runs /docker-entrypoint.d/*.sh then launches nginx.
Reference in New Issue View Git Blame Copy Permalink