Skip to content

Commit 78a165d

Browse files
AndrewBastinAndrewBastin
authored
chore: security patches for the dependency chain (hoppscotch#5196)
1 parent 0d4df74 commit 78a165d

File tree

3 files changed

+40
-34
lines changed

3 files changed

+40
-34
lines changed

package.json

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,9 @@
5353
"@babel/runtime@<7.26.10": "7.26.10",
5454
"apiconnect-wsdl": "2.0.36",
5555
"@xmldom/xmldom": "0.8.10",
56-
"[email protected]": "2.0.0"
56+
"[email protected]": "2.0.1",
57+
"[email protected]": "2.0.2",
58+
"[email protected]": "1.1.12"
5759
},
5860
"packageExtensions": {
5961
"@hoppscotch/httpsnippet": {

pnpm-lock.yaml

Lines changed: 25 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

prod.Dockerfile

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# This step is used to build a custom build of Caddy to prevent
22
# vulnerable packages on the dependency chain
3-
FROM alpine:3.21.3 AS caddy_builder
4-
RUN apk add curl go
3+
FROM alpine:3.22.0 AS caddy_builder
4+
RUN apk add curl go git
55

66
RUN mkdir -p /tmp/caddy-build
77

@@ -25,6 +25,8 @@ RUN go get github.com/go-jose/go-jose/[email protected]
2525
RUN go get golang.org/x/[email protected]
2626
# Patch to resolve CVE-2025-22872 on net
2727
RUN go get golang.org/x/[email protected]
28+
# Patch to resolve GHSA-vrw8-fxc6-2r93 on chi
29+
RUN go get github.com/go-chi/chi/[email protected]
2830

2931
RUN go mod vendor
3032

@@ -38,7 +40,7 @@ RUN apk add nodejs curl
3840

3941
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
4042
# TODO: Find a better method which is resistant to supply chain attacks
41-
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=10.9.2 sh"
43+
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
4244

4345
WORKDIR /usr/src/app
4446

@@ -47,7 +49,7 @@ ENV HOPP_ALLOW_RUNTIME_ENV=true
4749
# Required by @hoppscotch/js-sandbox to build `isolated-vm`
4850
RUN apk add python3 make g++ zlib-dev brotli-dev c-ares-dev nghttp2-dev openssl-dev icu-dev
4951

50-
RUN npm install -g pnpm@10.2.1
52+
RUN npm install -g pnpm@10.12.3
5153
COPY pnpm-lock.yaml .
5254
RUN pnpm fetch
5355

@@ -69,12 +71,12 @@ RUN apk add nodejs curl
6971

7072
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
7173
# TODO: Find a better method which is resistant to supply chain attacks
72-
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=10.9.2 sh"
74+
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
7375

7476
# Install caddy
7577
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
7678

77-
RUN npm install -g pnpm@10.2.1
79+
RUN npm install -g pnpm@10.12.3
7880

7981
COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/backend.Caddyfile /etc/caddy/backend.Caddyfile
8082
COPY --from=backend_builder /dist/backend /dist/backend
@@ -112,7 +114,7 @@ RUN apk add nodejs curl
112114

113115
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
114116
# TODO: Find a better method which is resistant to supply chain attacks
115-
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=10.9.2 sh"
117+
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
116118

117119
# Install caddy
118120
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
@@ -155,7 +157,7 @@ RUN apk add nodejs curl
155157

156158
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
157159
# TODO: Find a better method which is resistant to supply chain attacks
158-
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=10.9.2 sh"
160+
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
159161

160162
# Install caddy
161163
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
@@ -182,7 +184,7 @@ RUN apk add nodejs curl
182184

183185
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
184186
# TODO: Find a better method which is resistant to supply chain attacks
185-
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=10.9.2 sh"
187+
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
186188

187189
# Caddy install
188190
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
@@ -199,7 +201,7 @@ LABEL org.opencontainers.image.source="https://github.com/hoppscotch/hoppscotch"
199201

200202
RUN apk add tini
201203

202-
RUN npm install -g pnpm@10.2.1
204+
RUN npm install -g pnpm@10.12.3
203205

204206
# Copy necessary files
205207
# Backend files

0 commit comments

Comments
 (0)