Skip to content

merge 1.5.7 into main #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RuoxiZhang08 merged 7 commits into from
Mar 11, 2026
Merged

merge 1.5.7 into main #149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
14b4772
test console
RuoxiZhang08 Feb 3, 2026
8cd96d8
removed console
RuoxiZhang08 Feb 3, 2026
2dc8d3f
Podcat-1711: fix several CVEs (#144)
David-YuWei Feb 4, 2026
6094dd7
Podcat-1711: Fix new CVEs (#145)
David-YuWei Feb 4, 2026
074f085
Update to use new node image (#146)
David-YuWei Feb 12, 2026
b72b268
Fix CVE-2026-26960 CVE (#147)
David-YuWei Feb 18, 2026
1e82068
Fix CVE-2026-26996 (#148)
David-YuWei Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 35 additions & 51 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,63 +1,47 @@
FROM node:24.13.0-alpine3.23
FROM node:25.6.1-slim
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base image was changed to Node 25.6.1, but CI runs tests on Node 22.x (see .github/workflows/test.yml). This version mismatch can lead to “works in CI, breaks in prod” (and Node 25 is non‑LTS). Consider aligning the Docker base image with the CI/runtime Node version (or updating CI and/or declaring engines.node in package.json).

Suggested change
FROM node:25.6.1-slim
FROM node:22-slim

Copilot uses AI. Check for mistakes.

ENV PORT 8080
ENV NODE_ENV production

# Fix CVE-2025-64756: Patch glob in npm's system installation
# Vulnerable paths found by AWS Inspector:
# - /usr/local/lib/node_modules/npm/node_modules/glob/
# - /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob/
# Fix CVE-2026-23745 and CVE-2026-23950: Patch tar in npm's system installation
# Vulnerable paths found by AWS Inspector:
# - /usr/local/lib/node_modules/npm/node_modules/tar/
# - /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar/
RUN npm install -g npm@latest && \
cd /tmp && \
# Download safe glob version once
npm pack glob@11.1.0 && \
# Download safe tar version (7.5.4 fixes both CVEs)
npm pack tar@7.5.4 && \
# Patch glob in npm's direct dependencies
if [ -d "/usr/local/lib/node_modules/npm/node_modules/glob" ]; then \
tar -xzf glob-11.1.0.tgz && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
mv package /usr/local/lib/node_modules/npm/node_modules/glob && \
rm -f glob-11.1.0.tgz; \
fi && \
# Patch glob in node-gyp's dependencies (download again for second location)
if [ -d "/usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob" ]; then \
npm pack glob@11.1.0 && \
tar -xzf glob-11.1.0.tgz && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
mv package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
rm -f glob-11.1.0.tgz; \
fi && \
# Patch tar in npm's direct dependencies
if [ -d "/usr/local/lib/node_modules/npm/node_modules/tar" ]; then \
tar -xzf tar-7.5.4.tgz && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
rm -f tar-7.5.4.tgz; \
fi && \
# Patch tar in node-gyp's dependencies (download again for second location)
if [ -d "/usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar" ]; then \
npm pack tar@7.5.4 && \
tar -xzf tar-7.5.4.tgz && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar && \
mv package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/tar && \
rm -f tar-7.5.4.tgz; \
fi && \
rm -rf /tmp/package /tmp/glob-* /tmp/tar-* 2>/dev/null || true
# Upgrade npm to latest version to address CVE-2026-0775 (npm 11.8.0 vulnerability)
RUN npm install -g npm@latest

# Update tar to 7.5.8 to fix CVE in npm's bundled tar (7.5.4)
RUN mkdir -p /tmp/tar-update && \
cd /tmp/tar-update && \
npm init -y && \
npm install tar@7.5.8 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
cp -r node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /tmp/tar-update

# Fix CVE GHSA-7h2j-956f-4vf2: Update @isaacs/brace-expansion from 5.0.0 to 5.0.1 in npm's node_modules
RUN mkdir -p /tmp/brace-expansion-update && \
cd /tmp/brace-expansion-update && \
npm init -y && \
npm install @isaacs/brace-expansion@5.0.1 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
cp -r node_modules/@isaacs/brace-expansion /usr/local/lib/node_modules/npm/node_modules/@isaacs/ && \
rm -rf /tmp/brace-expansion-update

# Fix minimatch vulnerability: Update npm's bundled minimatch from 10.1.2 to 10.2.1 (and deps: brace-expansion, balanced-match)
RUN mkdir -p /tmp/minimatch-update && \
cd /tmp/minimatch-update && \
npm init -y && \
npm install minimatch@10.2.1 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
cp -r node_modules/minimatch /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion && \
cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/balanced-match && \
cp -r node_modules/balanced-match /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /tmp/minimatch-update

Comment on lines +6 to 39
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dockerfile is directly replacing packages inside npm’s own installation directory (e.g., /usr/local/lib/node_modules/npm/node_modules/...). This is brittle because npm’s internal dependency layout can change across npm releases (and you’re also installing npm@latest), which can silently reintroduce vulnerabilities or break npm behavior. Prefer selecting a base image/npm version that already includes the patched transitive deps, or pin npm to a known-good version and add a verification step (e.g., npm --version / checking the patched package versions) so the build fails if the expected paths/versions aren’t present.

Suggested change
# Upgrade npm to latest version to address CVE-2026-0775 (npm 11.8.0 vulnerability)
RUN npm install -g npm@latest
# Update tar to 7.5.8 to fix CVE in npm's bundled tar (7.5.4)
RUN mkdir -p /tmp/tar-update && \
cd /tmp/tar-update && \
npm init -y && \
npm install tar@7.5.8 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
cp -r node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /tmp/tar-update
# Fix CVE GHSA-7h2j-956f-4vf2: Update @isaacs/brace-expansion from 5.0.0 to 5.0.1 in npm's node_modules
RUN mkdir -p /tmp/brace-expansion-update && \
cd /tmp/brace-expansion-update && \
npm init -y && \
npm install @isaacs/brace-expansion@5.0.1 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \
cp -r node_modules/@isaacs/brace-expansion /usr/local/lib/node_modules/npm/node_modules/@isaacs/ && \
rm -rf /tmp/brace-expansion-update
# Fix minimatch vulnerability: Update npm's bundled minimatch from 10.1.2 to 10.2.1 (and deps: brace-expansion, balanced-match)
RUN mkdir -p /tmp/minimatch-update && \
cd /tmp/minimatch-update && \
npm init -y && \
npm install minimatch@10.2.1 --legacy-peer-deps && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
cp -r node_modules/minimatch /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion && \
cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /usr/local/lib/node_modules/npm/node_modules/balanced-match && \
cp -r node_modules/balanced-match /usr/local/lib/node_modules/npm/node_modules/ && \
rm -rf /tmp/minimatch-update
# Pin npm to a specific version that includes the required security fixes.
# Avoid manually modifying npm's internal node_modules tree, which is brittle
# and may break when npm's internal layout changes.
RUN npm install -g npm@11.9.0 && npm --version

Copilot uses AI. Check for mistakes.
WORKDIR /usr/src/app

COPY package*.json ./

RUN npm ci && \
# Ensure project-level glob is also safe
npm install glob@^11.1.0 --no-save || npm install glob@^10.5.0 --no-save || true && \
# Ensure project-level tar is also safe (fixes CVE-2026-23745 and CVE-2026-23950)
npm install tar@^7.5.4 --no-save || true
RUN npm ci --omit=dev

COPY --chown=node:node . .

Expand Down
Loading
Loading