mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl, git, busybox) are all upstream Alpine 3.23 packages with "not fixed" status — libcurl is pulled in transitively by git and cannot be removed independently. Changes: - Provision pnpm via corepack instead of `npm install -g pnpm`, then remove the bundled npm. The base image's npm@10.9.7 ships old transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion 2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime; corepack handles pnpm directly without npm. Fixes 1H + 1M. - Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the workflow and pull in pnpm's patched bundled brace-expansion (5.0.5 vs 5.0.4). Fixes 1M. - Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides (GHSA-w5hq-g745-h8pq). Fixes 1M. - Drop `curl` from the runtime apk add list and switch HEALTHCHECK to wget (busybox built-in). curl was only invoked by the healthcheck and by dev/CI scripts that don't run in the container. Removes the curl CLI binary; libcurl remains as a git transitive dep, so the `apk/alpine/curl` advisories scout reports against libcurl persist but aren't reachable from any code we ship. As a side-effect this also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep. - Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl resolves localhost to ::1 first and Etherpad only binds IPv4. Verified locally: docker build → docker run → healthy → docker scout cves shows 12 CVEs / 3 packages. * fix(docker): refresh corepack before preparing pnpm (Qodo) Node 22's bundled corepack ships a stale signing-key list and can reject newer pnpm releases (nodejs/corepack#612), which would fail the image build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround: `npm install -g corepack@latest` before activating pnpm, in both adminbuild and build stages. npm is still removed afterwards. * docs(changelog): note docker image dropping curl/npm/npx (Qodo) Address Qodo's "backwards-incompatible change without mitigation" rule violations by documenting the removal in the 2.7.3 breaking-changes section. Operators who exec into the container can apk add curl on demand or use the busybox wget / pnpm already present. * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm * chore: pnpm --------- Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
packages:
|
|
- src
|
|
- admin
|
|
- bin
|
|
- doc
|
|
- ui
|
|
allowBuilds:
|
|
'@scarf/scarf': set this to true or false
|
|
esbuild: set this to true or false
|
|
# Explicitly ignore build scripts we don't want to run. Listing them here
|
|
# stops pnpm from failing with ERR_PNPM_IGNORED_BUILDS when they're
|
|
# encountered as transitive deps (e.g. scarf pulled in via swagger-ui-dist).
|
|
ignoredBuiltDependencies:
|
|
- '@scarf/scarf'
|
|
onlyBuiltDependencies:
|
|
- esbuild
|
|
# Belt-and-suspenders: even if a fresh transitive dep slips through with a
|
|
# postinstall script, downgrade to a warning so CI doesn't break for
|
|
# downstream plugin repos that pull etherpad-lite as their core install.
|
|
strictDepBuilds: false
|
|
# As of pnpm 11, overrides must live here (root package.json's pnpm.overrides
|
|
# is no longer read). Force-bump transitive deps with known CVEs.
|
|
overrides:
|
|
basic-ftp: '>=5.3.0'
|
|
brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3'
|
|
diff@>=6.0.0 <8.0.3: '>=8.0.3'
|
|
flatted: '>=3.4.2'
|
|
follow-redirects: '>=1.16.0'
|
|
glob@>=10.2.0 <10.5.0: '>=10.5.0'
|
|
js-yaml@>=4.0.0 <4.1.1: '>=4.1.1'
|
|
lodash: '>=4.18.0'
|
|
minimatch@>=9.0.0 <9.0.7: '>=9.0.7'
|
|
path-to-regexp@>=8.0.0 <8.4.0: '>=8.4.0'
|
|
picomatch@>=4.0.0 <4.0.4: '>=4.0.4'
|
|
qs@>=6.7.0 <6.14.2: '>=6.14.2'
|
|
serialize-javascript@<7.0.5: '>=7.0.5'
|
|
socket.io-parser@>=4.0.0 <4.2.6: '>=4.2.6'
|
|
tar@<7.5.11: '>=7.5.11'
|
|
uuid@<14.0.0: '>=14.0.0'
|
|
vite@>=7.0.0 <7.3.2: '>=7.3.2'
|