-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathDockerfile
More file actions
154 lines (131 loc) · 7.25 KB
/
Dockerfile
File metadata and controls
154 lines (131 loc) · 7.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# =============================================================================
# D1 Database Manager - Cloudflare Workers Deployment
# =============================================================================
# Multi-stage build for optimal image size and security
# Production-ready image: ~150MB
# =============================================================================
# -----------------
# Stage 1: Builder
# -----------------
FROM node:24-alpine AS builder
WORKDIR /app
# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest
# Patch npm's own dependencies to fix CVE-2025-64756 (glob), CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960 (tar), GHSA-7h2j-956f-4vf2 (@isaacs/brace-expansion), CVE-2026-27903, CVE-2026-27904 (minimatch)
# Recent npm versions bundle vulnerable versions glob@11.0.3, glob@10.4.5 (in node-gyp), tar@7.5.1, @isaacs/brace-expansion@5.0.0, minimatch@10.2.2, picomatch@4.0.3
# We download patched versions first, then replace all vulnerable ones
RUN cd /tmp && \
npm pack glob@11.1.0 && \
npm pack tar@7.5.13 && \
npm pack @isaacs/brace-expansion@5.0.1 && \
npm pack minimatch@10.2.5 && \
npm pack picomatch@4.0.4 && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
tar -xzf glob-11.1.0.tgz && \
cp -r package /usr/local/lib/node_modules/npm/node_modules/glob && \
(mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
tar -xzf tar-7.5.13.tgz && \
mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
tar -xzf isaacs-brace-expansion-5.0.1.tgz && \
mkdir -p /usr/local/lib/node_modules/npm/node_modules/@isaacs && \
mv package /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
tar -xzf minimatch-10.2.5.tgz && \
mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
tar -xzf picomatch-4.0.4.tgz && \
mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
mv package /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
rm -rf /tmp/*
# Install build dependencies
RUN apk add --no-cache \
python3 \
make \
g++
# Copy package files
COPY package*.json ./
# Install ALL dependencies (including devDependencies for build)
RUN npm ci --include=dev
# Copy source code
COPY . .
# Build the application
RUN npm run build
# -----------------
# Stage 2: Runtime
# -----------------
FROM node:24-alpine AS runtime
WORKDIR /app
# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest
# Patch npm's own dependencies to fix CVE-2025-64756 (glob), CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960 (tar), GHSA-7h2j-956f-4vf2 (@isaacs/brace-expansion), CVE-2026-27903, CVE-2026-27904 (minimatch)
# Recent npm versions bundle vulnerable versions glob@11.0.3, glob@10.4.5 (in node-gyp), tar@7.5.1, @isaacs/brace-expansion@5.0.0, minimatch@10.2.2, picomatch@4.0.3
# We download patched versions first, then replace all vulnerable ones
RUN cd /tmp && \
npm pack glob@11.1.0 && \
npm pack tar@7.5.13 && \
npm pack @isaacs/brace-expansion@5.0.1 && \
npm pack minimatch@10.2.5 && \
npm pack picomatch@4.0.4 && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
tar -xzf glob-11.1.0.tgz && \
cp -r package /usr/local/lib/node_modules/npm/node_modules/glob && \
(mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
tar -xzf tar-7.5.13.tgz && \
mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
tar -xzf isaacs-brace-expansion-5.0.1.tgz && \
mkdir -p /usr/local/lib/node_modules/npm/node_modules/@isaacs && \
mv package /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
tar -xzf minimatch-10.2.5.tgz && \
mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
tar -xzf picomatch-4.0.4.tgz && \
mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
mv package /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
rm -rf /tmp/*
# Install runtime dependencies and upgrade to fix CVEs
# Security Notes:
# - Application dependencies: minimatch@10.2.5 (patched via package.json override); overrides for glob@11.1.0, tar@7.5.13, and @isaacs/brace-expansion@5.0.1 are precautionary and may not currently appear in the installed dependency graph.
# - npm CLI bundled dependencies: glob@11.1.0, tar@7.5.13, @isaacs/brace-expansion@5.0.1, minimatch@10.2.5 (manually patched in npm's installation)
# - curl 8.18.0-r0 (from edge): CVE-2025-14819, CVE-2025-14017, CVE-2025-14524 (curl vulnerabilities)
# - busybox: CVE-2025-60876 (wget CRLF injection) - not exploitable (D1 Manager uses curl, not wget)
# - zlib: CVE-2026-22184 (buffer overflow in untgz) - NOT EXPLOITABLE (D1 Manager does not use untgz utility)
# Fix pending: zlib 1.3.1.3 not yet packaged by Alpine (published Jan 7, 2026)
# curl 8.18.0 is only available in Alpine edge, so we add edge/main repo temporarily
RUN apk update && \
echo "http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \
apk add --no-cache ca-certificates && \
apk add --no-cache curl --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main && \
apk upgrade --no-cache busybox busybox-binsh
# Create non-root user for security
# Note: Alpine Linux uses GID 1000 for 'users' group, so we use a different GID
RUN addgroup -g 1001 app && \
adduser -D -u 1001 -G app app
# Copy package files
COPY package*.json ./
# Install production dependencies only
RUN npm ci --omit=dev && \
npm cache clean --force
# Copy built application from builder
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/worker ./worker
# Set ownership to non-root user
RUN chown -R app:app /app
# Switch to non-root user
USER app
# Expose Wrangler dev server port
EXPOSE 8787
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8787/health || exit 1
# Default command: Run Wrangler in development mode
# Override with specific commands for production deployment
CMD ["npx", "wrangler", "dev", "--ip", "0.0.0.0", "--port", "8787"]