etherpad-lite/snap/snapcraft.yaml
John McLear 958590d1c8
chore(docker): clear most CVEs in published image (npm/pnpm/uuid + drop curl) (#7674)
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl

Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages
to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl,
git, busybox) are all upstream Alpine 3.23 packages with "not fixed"
status — libcurl is pulled in transitively by git and cannot be
removed independently.

Changes:

- Provision pnpm via corepack instead of `npm install -g pnpm`, then
  remove the bundled npm. The base image's npm@10.9.7 ships old
  transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion
  2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime;
  corepack handles pnpm directly without npm. Fixes 1H + 1M.

- Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the
  workflow and pull in pnpm's patched bundled brace-expansion (5.0.5
  vs 5.0.4). Fixes 1M.

- Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides
  (GHSA-w5hq-g745-h8pq). Fixes 1M.

- Drop `curl` from the runtime apk add list and switch HEALTHCHECK to
  wget (busybox built-in). curl was only invoked by the healthcheck and
  by dev/CI scripts that don't run in the container. Removes the curl
  CLI binary; libcurl remains as a git transitive dep, so the
  `apk/alpine/curl` advisories scout reports against libcurl persist
  but aren't reachable from any code we ship. As a side-effect this
  also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep.

- Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl
  resolves localhost to ::1 first and Etherpad only binds IPv4.

Verified locally: docker build → docker run → healthy → docker scout
cves shows 12 CVEs / 3 packages.

* fix(docker): refresh corepack before preparing pnpm (Qodo)

Node 22's bundled corepack ships a stale signing-key list and can reject
newer pnpm releases (nodejs/corepack#612), which would fail the image
build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround:
`npm install -g corepack@latest` before activating pnpm, in both
adminbuild and build stages. npm is still removed afterwards.

* docs(changelog): note docker image dropping curl/npm/npx (Qodo)

Address Qodo's "backwards-incompatible change without mitigation" rule
violations by documenting the removal in the 2.7.3 breaking-changes
section. Operators who exec into the container can apk add curl on
demand or use the busybox wget / pnpm already present.

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2026-05-06 22:00:13 +02:00

162 lines
5.8 KiB
YAML

# snap/snapcraft.yaml — Snap recipe for Etherpad
#
# Design notes:
# - base: core24 chosen because Etherpad requires Node.js >= 20 and
# core24 (Ubuntu 24.04 LTS) ships glibc/OpenSSL versions matching modern
# Node 20/22 binaries. core22 also works but ships older TLS/CA bundles.
# - confinement: strict. Etherpad is a pure Node.js HTTP service. The only
# native Node module (`rusty-store-kv`) ships as a prebuilt napi-rs
# binary, so no node-gyp compile is performed at install time and
# strict confinement works cleanly.
# - We use `dump` + a manual override-build (rather than the npm plugin)
# because this repo is a pnpm workspace and we pin Node.js 22 manually.
name: etherpad
title: Etherpad
summary: Real-time collaborative document editor
description: |
Etherpad is a highly customizable open-source online editor providing
collaborative editing in real-time. This snap bundles Etherpad with a
pinned Node.js 22 runtime. On first launch a default `settings.json`
is copied into `$SNAP_COMMON/etc` where it can be edited. Pad data is
stored in `$SNAP_COMMON/var` and survives snap refreshes.
Default listen port: 9001.
Upstream: https://etherpad.org
Source: https://github.com/ether/etherpad
license: Apache-2.0
website: https://etherpad.org
source-code: https://github.com/ether/etherpad
issues: https://github.com/ether/etherpad/issues
contact: https://etherpad.org/#community
adopt-info: etherpad
grade: stable
confinement: strict
base: core24
compression: lzo
platforms:
amd64:
arm64:
apps:
# Bare app name matches the snap name → users invoke it as plain `etherpad`.
etherpad:
command: bin/etherpad-service
daemon: simple
install-mode: enable
restart-condition: on-failure
plugs:
- network
- network-bind
environment:
HOME: $SNAP_DATA
NODE_ENV: production
# PORT/IP are env-substituted into settings.json on first run and
# overridden by the wrapper from `snap set etherpad port=…` / `ip=…`.
PORT: "9001"
IP: "0.0.0.0"
healthcheck:
command: bin/etherpad-healthcheck-wrapper
plugs:
- network
cli:
command: bin/etherpad-cli
plugs:
- network
- network-bind
parts:
etherpad:
plugin: dump
source: .
source-type: local
build-packages:
- curl
- ca-certificates
- git
- python3
- build-essential
stage-packages:
- ca-certificates
- libstdc++6
- openssl
override-pull: |
craftctl default
VERSION="$(grep -m1 '"version"' src/package.json | sed -E 's/.*"([^"]+)".*/\1/')"
craftctl set version="${VERSION}"
override-build: |
set -eu
# -- 1. Install Node.js 22 from the official tarball. Must be >=22.13
# because pnpm 11 hard-rejects older 22.x releases.
NODE_VERSION=22.22.2
ARCH="$(dpkg --print-architecture)"
case "${ARCH}" in
amd64) NODE_ARCH=x64 ;;
arm64) NODE_ARCH=arm64 ;;
*) echo "Unsupported arch ${ARCH}"; exit 1 ;;
esac
NODE_TGZ="node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz"
curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/${NODE_TGZ}" \
-o "/tmp/${NODE_TGZ}"
mkdir -p "${CRAFT_PART_INSTALL}/opt/node"
tar -xJf "/tmp/${NODE_TGZ}" -C "${CRAFT_PART_INSTALL}/opt/node" \
--strip-components=1
export PATH="${CRAFT_PART_INSTALL}/opt/node/bin:${PATH}"
# -- 2. Install pnpm via corepack. The corepack version bundled with
# Node 22.12 ships a stale signing-key list and rejects newer pnpm
# releases (nodejs/corepack#612), so refresh corepack itself first.
"${CRAFT_PART_INSTALL}/opt/node/bin/npm" install \
--prefix "${CRAFT_PART_INSTALL}/opt/node" -g corepack@latest
corepack enable --install-directory "${CRAFT_PART_INSTALL}/opt/node/bin"
corepack prepare pnpm@11.0.6 --activate
# -- 3. Copy source into install dir and build.
APP_DIR="${CRAFT_PART_INSTALL}/opt/etherpad"
mkdir -p "${APP_DIR}"
cp -a "${CRAFT_PART_SRC}/." "${APP_DIR}/"
cd "${APP_DIR}"
pnpm install --frozen-lockfile --prod=false
pnpm run build:etherpad
# Strip dev deps to shrink the payload. `pnpm prune --prod` walks
# every workspace symlink and can deadlock on cross-referenced
# packages — wipe node_modules and reinstall prod-only instead;
# pnpm resolves the smaller graph from cache in a fraction of the
# time and the result is byte-identical to a clean prod install.
find . -type d -name node_modules -prune -exec rm -rf {} +
pnpm install --prod --frozen-lockfile --ignore-scripts
rm -rf .git tests/frontend-new/.cache \
src/tests/frontend-new/test-results || true
# -- 4. Etherpad's plugin installer writes installed_plugins.json
# under its own install dir's var/ at runtime
# (src/static/js/pluginfw/installer.ts uses __dirname, which
# resolves to an absolute path inside the read-only snap squashfs).
# snap layouts can't redirect __dirname-relative paths, so replace
# the shipped var/ dir with a symlink into $SNAP_COMMON instead;
# the kernel transparently resolves the symlink to writable storage
# that survives `snap refresh`. The wrapper mkdirs the target.
rm -rf "${APP_DIR}/var"
ln -s /var/snap/etherpad/common/etherpad-app-var "${APP_DIR}/var"
# -- 5. Install wrappers.
install -Dm755 "${CRAFT_PROJECT_DIR}/snap/local/bin/etherpad-service" \
"${CRAFT_PART_INSTALL}/bin/etherpad-service"
install -Dm755 "${CRAFT_PROJECT_DIR}/snap/local/bin/etherpad-healthcheck-wrapper" \
"${CRAFT_PART_INSTALL}/bin/etherpad-healthcheck-wrapper"
install -Dm755 "${CRAFT_PROJECT_DIR}/snap/local/bin/etherpad-cli" \
"${CRAFT_PART_INSTALL}/bin/etherpad-cli"
hooks:
configure:
plugs:
- network