Should frontend/UI build manifests (package.json, package-lock.json) be present in production Python images? #59820
-
|
Context: The Finding: Upon investigation inside the image, I found:
I noticed that while the 'main' branch has updated package-lock.json to the secure form-data version, the underlying issue remains: why do we ship these files at all? I've little knowledge of the frontend build, but from a runtime perspective, these manifests appear to be "ghost" artifacts. Since node_modules are stripped and the UI is pre-compiled, keeping these files in the production image—even if patched—leaves the door open for future false positives whenever a frontend dependency (that isn't even installed) gets flagged. I am currently planning to patch our internal Docker builds by deleting package.json and package-lock.json to satisfy our security scanners, but I want to make sure I’m not breaking anything critical. |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
|
No. No reason. We should likely remove those. |
Beta Was this translation helpful? Give feedback.
-
|
One thing it might be useful, is that we should likely check if our SBOMS will be properly generated if we do that https://airflow.apache.org/docs/apache-airflow/stable/security/sbom.html -> also we should likely make sure SBOMS are attached to generated images. Because of course - those packages are still our dependencies - and if you want to use newer versions of those, you should upgrade to later versions of airflow - even if package.json is removed - the minified version of those dependencies are still there - no matter of you remove the package.lock files. |
Beta Was this translation helpful? Give feedback.
-
|
(BTW. SBOM is THE way you should check for dependencies included). |
Beta Was this translation helpful? Give feedback.
-
|
Converted to issue #59821 |
Beta Was this translation helpful? Give feedback.
No. No reason. We should likely remove those.