fix(release): harden v0.9 image bases#341
Conversation
Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
|
Maintainer security review record:
Security review result: approve this prerequisite after required CI completes. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9cfa7a2c40
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| RUN rm -rf /usr/local/lib/node_modules/npm \ | ||
| && rm -f /usr/local/bin/npm /usr/local/bin/npx |
There was a problem hiding this comment.
Exclude npm from final image layers
For the release image pushed from this Dockerfile, deleting /usr/local/lib/node_modules/npm in a later RUN step only adds whiteouts over files that already came from the node:22-bookworm-slim base layer. The npm package tree is still present in the distributed image blobs and can be recovered or reported by scanners that inspect all layers, so this does not actually keep npm out of the image as the hardening comment requires. Build the final stage from a base/layer that never contains npm, or copy only the needed Node runtime files into a fresh final stage.
Useful? React with 👍 / 👎.
Summary
Refresh the pinned Node 22 and distroless Debian 12 runtime bases used by the v0.9 release images.
Remove npm and npx from the source-adapter sidecar image. The runtime invokes Node.js directly for the bundled mock registry server and never installs packages, so retaining npm only expands the release image and its advisory surface.
Why
The beta-11 release-candidate Grype pass found high-severity advisories with available fixes in the old Relay base and in npm packages bundled into the sidecar base. Release policy requires fixing patched same-major dependencies before the prepare release PR merges.
Verification
This PR must merge before #340 is refreshed and merged.