do-manager/Dockerfile at main · neverinfamous/do-manager · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# =============================================================================
# Cloudflare Durable Object Manager - Docker Deployment
# =============================================================================
# Multi-stage build for optimal image size and security
# Production-ready image: ~150MB
# =============================================================================

# -----------------
# Stage 1: Builder
# -----------------
FROM node:24-alpine AS builder

WORKDIR /app

# Upgrade Alpine packages to fix CVE-2025-46394 & CVE-2024-58251 (busybox 1.37.0-r19 -> 1.37.0-r20)
# Also upgrade c-ares to fix CVE-2025-62408 (1.34.5-r0 -> 1.34.6-r0)
RUN apk upgrade --no-cache && \
    apk add --no-cache --upgrade c-ares

# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest

# Patch npm's own dependencies (P111 - keep versions in sync with package.json overrides)
# npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
RUN cd /tmp && \
    npm pack glob@13.0.6 && \
    npm pack tar@7.5.13 && \
    npm pack minimatch@10.2.5 && \
    npm pack picomatch@4.0.4 && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
    tar -xzf glob-13.0.6.tgz && \
    cp -r package /usr/local/lib/node_modules/npm/node_modules/glob && \
    (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
     cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
    rm -rf package && \
    tar -xzf tar-7.5.13.tgz && \
    mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
    tar -xzf minimatch-10.2.5.tgz && \
    mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
    tar -xzf picomatch-4.0.4.tgz && \
    mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
    mv package /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
    rm -rf /tmp/*

# Install build dependencies
RUN apk add --no-cache \
    python3 \
    make \
    g++

# Copy package files
COPY package*.json ./

# Install ALL dependencies (including devDependencies for build)
RUN npm ci --include=dev

# Copy source code
COPY . .

# Build the application
RUN npm run build

# -----------------
# Stage 2: Runtime
# -----------------
FROM node:24-alpine AS runtime

WORKDIR /app

# Upgrade Alpine packages to fix CVE-2025-46394 & CVE-2024-58251 (busybox 1.37.0-r19 -> 1.37.0-r20)
# Also upgrade c-ares to fix CVE-2025-62408 (1.34.5-r0 -> 1.34.6-r0)
RUN apk upgrade --no-cache && \
    apk add --no-cache --upgrade c-ares

# Upgrade npm to latest version to fix CVE-2024-21538 (cross-spawn vulnerability)
RUN npm install -g npm@latest

# Patch npm's own dependencies (P111 - keep versions in sync with package.json overrides)
# npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
RUN cd /tmp && \
    npm pack glob@13.0.6 && \
    npm pack tar@7.5.13 && \
    npm pack minimatch@10.2.5 && \
    npm pack picomatch@4.0.4 && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob && \
    rm -rf /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
    tar -xzf glob-13.0.6.tgz && \
    cp -r package /usr/local/lib/node_modules/npm/node_modules/glob && \
    (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
     cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
    rm -rf package && \
    tar -xzf tar-7.5.13.tgz && \
    mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
    tar -xzf minimatch-10.2.5.tgz && \
    mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
    tar -xzf picomatch-4.0.4.tgz && \
    mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
    mv package /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
    rm -rf /tmp/*

# Install runtime dependencies only
# Security Notes:
# - Application runtime dependencies: see package-lock.json (devDependencies, including any minimatch usage, are not installed due to `npm ci --omit=dev`)
# - npm CLI bundled dependencies: glob@13.0.6, tar@7.5.13, minimatch@10.2.5, picomatch@4.0.4 (npm's own deps, manually patched via P111)
# - minimatch ReDoS: GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74 (fixed >= 10.2.3)
# - rollup path traversal: GHSA-mw96-cpmx-2vgc (fixed >= 4.59.0 via npm audit fix)
# - busybox CVE-2025-46394 & CVE-2024-58251 fixed via apk upgrade
# - c-ares CVE-2025-62408 fixed via explicit upgrade
RUN apk add --no-cache \
    curl \
    ca-certificates

# Create non-root user for security
# Note: Alpine Linux uses GID 1000 for 'users' group, so we use a different GID
RUN addgroup -g 1001 app && \
    adduser -D -u 1001 -G app app

# Copy package files
COPY package*.json ./

# Install production dependencies only
RUN npm ci --omit=dev && \
    npm cache clean --force

# Copy built application from builder
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/worker ./worker
COPY --from=builder /app/wrangler.toml.example ./wrangler.toml.example

# Set ownership to non-root user
RUN chown -R app:app /app

# Switch to non-root user
USER app

# Expose Wrangler dev server port
EXPOSE 8787

# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8787/health || exit 1

# Default command: Run Wrangler in development mode
# Override with specific commands for production deployment
CMD ["npx", "wrangler", "dev", "--ip", "0.0.0.0", "--port", "8787"]