fix: updated docker base image to node:20-alpine3.21 #733
Conversation
|
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9198067 | Triggered | Generic Password | dfee797 | docker-compose.yml | View secret |
| 9198067 | Triggered | Generic Password | dfee797 | docker-compose.dev.yml | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secrets safely. Learn here the best practices.
- Revoke and rotate these secrets.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
Warning There were issues while running some tools. Please review the errors and either fix the tool’s configuration or disable the tool if it’s a critical failure. 🔧 eslint
apps/webapp/src/app/(Dashboard)/api-keys/page.tsxOops! Something went wrong! :( ESLint: 8.57.0 ESLint couldn't find the config "next/core-web-vitals" to extend from. Please check that the name of the config is correct. The config "next/core-web-vitals" was referenced from the config file in "/apps/webapp/.eslintrc.json". If you still have problems, please stop by https://eslint.org/chat/help to chat with the team. 📝 WalkthroughWalkthroughThe changes involve updates to multiple Dockerfiles across the web application and API packages. The primary modification is the upgrade of the base image from Changes
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 14
🧹 Outside diff range comments (1)
packages/api/Dockerfile.pnpm-installer (1)
Line range hint
23-29: Fix environment variable inconsistency.There's an inconsistency between the declared and used environment variables:
PACKAGEis declared but never usedPACKAGE_NAMEis used but not explicitly declared-# Set environment variable -ENV PACKAGE="$PACKAGE" +# Set environment variable for package installation +ENV PACKAGE_NAME="$PACKAGE_NAME"🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of
apk add <package>useapk add <package>=<version>(DL3018)
[info] 12-12: Multiple consecutive
RUNinstructions. Consider consolidation.(DL3059)
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
⛔ Files ignored due to path filters (3)
docker-compose.dev.ymlis excluded by!**/*.ymldocker-compose.source.ymlis excluded by!**/*.ymldocker-compose.ymlis excluded by!**/*.yml
📒 Files selected for processing (10)
apps/webapp/Dockerfile(3 hunks)apps/webapp/Dockerfile.dev(1 hunks)apps/webapp/Dockerfile.slim(1 hunks)apps/webapp/src/app/(Dashboard)/api-keys/page.tsx(1 hunks)packages/api/Dockerfile(3 hunks)packages/api/Dockerfile.dev(1 hunks)packages/api/Dockerfile.pnpm-build(1 hunks)packages/api/Dockerfile.pnpm-installer(1 hunks)packages/api/Dockerfile.pnpm-lint(1 hunks)packages/api/Dockerfile.validate-connectors(1 hunks)
🧰 Additional context used
🪛 Hadolint (2.12.0)
packages/api/Dockerfile.dev
[warning] 6-6: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile.validate-connectors
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile.pnpm-build
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
apps/webapp/Dockerfile.dev
[warning] 6-6: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile.pnpm-lint
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile.pnpm-installer
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile
[warning] 6-6: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[warning] 22-22: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[warning] 45-45: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
apps/webapp/Dockerfile
[warning] 7-7: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[warning] 26-26: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[warning] 64-64: Use arguments JSON notation for CMD and ENTRYPOINT arguments
(DL3025)
apps/webapp/Dockerfile.slim
[warning] 4-4: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 4-4: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[warning] 8-8: Pin versions in npm. Instead of npm install <package> use npm install <package>@<version>
(DL3016)
[info] 9-9: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[info] 45-45: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
[warning] 57-57: Use arguments JSON notation for CMD and ENTRYPOINT arguments
(DL3025)
🔇 Additional comments (10)
packages/api/Dockerfile.dev (1)
3-3: Base Image Update Looks Good
The update of the base image to node:20-alpine3.21 ensures compatibility with OpenSSL and aligns with the PR objectives.
apps/webapp/Dockerfile.dev (1)
3-3: Base Image Update Looks Good
Updating the base image to node:20-alpine3.21 aligns with the project's needs for OpenSSL support.
packages/api/Dockerfile.pnpm-lint (1)
7-7: Base Image Update Looks Good
The change to node:20-alpine3.21 for the base image is appropriate and supports the inclusion of OpenSSL.
packages/api/Dockerfile.pnpm-build (1)
7-7: LGTM: Base image update addresses OpenSSL dependency.
The update to node:20-alpine3.21 aligns with the PR objective and provides a specific version for better reproducibility.
packages/api/Dockerfile.pnpm-installer (2)
8-8: LGTM: Base image update is consistent.
The update to node:20-alpine3.21 maintains consistency across Dockerfiles and addresses the OpenSSL requirement.
11-11: 🧹 Nitpick (assertive)
Consider pinning package versions for better reproducibility.
Same recommendation as other Dockerfiles for version pinning.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
packages/api/Dockerfile.validate-connectors (3)
8-8: LGTM: Base image update is consistent.
The update to node:20-alpine3.21 maintains consistency across Dockerfiles and addresses the OpenSSL requirement.
11-11: 🧹 Nitpick (assertive)
Consider pinning package versions for better reproducibility.
Same recommendation as other Dockerfiles for version pinning.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
Line range hint 8-29: Verify OpenSSL functionality in the validation process.
Since this Dockerfile is used for connector validation, let's ensure the OpenSSL addition doesn't affect the validation process.
✅ Verification successful
Based on the comprehensive analysis of the validation process and OpenSSL usage, I can now provide the final response:
OpenSSL installation in Dockerfile is safe and necessary for basic HTTPS functionality.
The OpenSSL package is installed alongside other essential system dependencies and is used for secure HTTPS communications, which is a basic requirement for most modern web applications. The validation process itself (implemented in connectorUpdate.js) doesn't directly use OpenSSL - it's focused on updating dependencies, imports, and database schemas for new connectors. The OpenSSL installation doesn't affect the connector validation logic.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash
# Description: Check if any connectors require specific OpenSSL configurations
# Search for OpenSSL-related configurations or requirements in connector files
rg -i "openssl|ssl|tls" ./packages/api/src/connectors/
Length of output: 127
Script:
#!/bin/bash
# Let's first find the correct path for connectors
fd connectors
# Then check for SSL/TLS configurations in the entire codebase
rg -i "openssl|ssl|tls"
# Also check for any validation-related files that might use OpenSSL
fd validate
Length of output: 7499
Script:
#!/bin/bash
# Let's check the validation process implementation
fd -t f validate-connectors -x cat {}
# Check for any validation scripts or configuration
rg -i "validate.*connector" -A 5
Length of output: 3744
Script:
#!/bin/bash
# Let's check the connector validation script implementation
cat packages/api/scripts/connectorUpdate.js
# Also check if there are any SSL/TLS related operations in the validation process
rg -i "ssl|tls|openssl" packages/api/scripts/
Length of output: 18929
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 12-12: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
apps/webapp/src/app/(Dashboard)/api-keys/page.tsx (1)
180-180: LGTM! Improved button text consistency.
The text change from "Create New Api Key" to "Create API key" improves UI consistency.
| WORKDIR /app | ||
| # Setup pnpm and turbo on the alpine base | ||
| FROM alpine as base | ||
| RUN npm install pnpm turbo --global |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Pin Versions When Installing Global NPM Packages
To ensure consistent builds and avoid potential issues due to updated package versions, consider pinning the versions of pnpm and turbo.
Example:
-RUN npm install pnpm turbo --global
+RUN npm install [email protected] [email protected] --globalEnsure that 7.32.0 and 1.13.4 are replaced with the specific versions you intend to use.
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 8-8: Pin versions in npm. Instead of npm install <package> use npm install <package>@<version>
(DL3016)
| COPY --from=installer /app/apps/webapp/.next/standalone ./ | ||
| COPY --from=installer /app/apps/webapp/.next/static ./apps/webapp/.next/static | ||
| COPY --from=installer /app/apps/webapp/public ./apps/webapp/public | ||
| RUN adduser --system --uid 1001 nodejs |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Consolidate RUN Instructions for User Creation
Combining these RUN instructions reduces image layers and streamlines the user setup process.
Apply this diff:
-RUN addgroup --system --gid 1001 nodejs
-RUN adduser --system --uid 1001 nodejs
+RUN addgroup --system --gid 1001 nodejs && \
+ adduser --system --uid 1001 nodejsCommittable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Hadolint (2.12.0)
[info] 45-45: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
| EXPOSE 8090 | ||
|
|
||
| CMD ["node", "server.js"] | ||
| CMD node dist/main |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Use JSON Array Syntax for CMD Instruction
Using JSON array syntax ensures that the command and its arguments are passed correctly without invoking a shell, which can prevent potential issues with argument parsing.
Apply this diff:
-CMD node dist/main
+CMD ["node", "dist/main"]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| CMD node dist/main | |
| CMD ["node", "dist/main"] |
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 57-57: Use arguments JSON notation for CMD and ENTRYPOINT arguments
(DL3025)
| # Alpine image | ||
| FROM node:20-alpine3.21 AS alpine | ||
| RUN apk update | ||
| RUN apk add --no-cache libc6-compat openssl |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Consider Pinning Package Versions in apk add
Pinning specific package versions ensures reproducibility and consistency across builds. This helps prevent unexpected behavior due to upstream changes.
Example:
RUN apk update && apk add --no-cache \
- libc6-compat openssl
+ libc6-compat=1.2.3-r0 openssl=1.1.1k-r0Replace 1.2.3-r0 and 1.1.1k-r0 with the desired versions based on your requirements.
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 4-4: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
[info] 4-4: Multiple consecutive RUN instructions. Consider consolidation.
(DL3059)
| ARG PORT=8080 | ||
| ENV PORT=8090 | ||
|
|
||
| ENV NODE_ENV=production | ||
| EXPOSE 8090 |
There was a problem hiding this comment.
Ensure Consistent Port Configuration
There is a mismatch between the ARG PORT=8080, ENV PORT=8090, and the port exposed using EXPOSE 8090. This could lead to confusion or misconfiguration when running the container.
Consider aligning the port configurations:
-ARG PORT=8080
-ENV PORT=8090
-ENV NODE_ENV=production
-EXPOSE 8090
+ARG PORT=8080
+ENV PORT=$PORT
+ENV NODE_ENV=production
+EXPOSE $PORTThis change ensures that the port can be configured externally and remains consistent throughout the container setup.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ARG PORT=8080 | |
| ENV PORT=8090 | |
| ENV NODE_ENV=production | |
| EXPOSE 8090 | |
| ARG PORT=8080 | |
| ENV PORT=$PORT | |
| ENV NODE_ENV=production | |
| EXPOSE $PORT |
|
|
||
| # ======================================================================= | ||
| FROM base AS linter | ||
| RUN apk add --no-cache libc6-compat netcat-openbsd curl | ||
| RUN apk add --no-cache libc6-compat netcat-openbsd curl openssl |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Consider Pinning Versions in apk add
To maintain build consistency and prevent unexpected updates, consider specifying versions for the installed packages.
Example:
-RUN apk add --no-cache libc6-compat netcat-openbsd curl openssl
+RUN apk add --no-cache \
+ libc6-compat=1.2.3-r0 \
+ netcat-openbsd=1.130-r0 \
+ curl=7.78.0-r0 \
+ openssl=1.1.1k-r0Replace version numbers with those that meet your project's compatibility requirements.
Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
|
|
||
| # ======================================================================= | ||
| FROM base AS builder | ||
| RUN apk add --no-cache libc6-compat netcat-openbsd curl | ||
| RUN apk add --no-cache libc6-compat netcat-openbsd curl openssl |
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Consider pinning package versions for better reproducibility.
While adding openssl addresses the dependency issue, consider pinning specific versions for all packages to ensure consistent builds:
-RUN apk add --no-cache libc6-compat netcat-openbsd curl openssl
+RUN apk add --no-cache \
+ libc6-compat=1.2.4-r2 \
+ netcat-openbsd=1.130-r5 \
+ curl=8.5.0-r0 \
+ openssl=3.1.4-r5Committable suggestion skipped: line range outside the PR's diff.
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 11-11: Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>
(DL3018)
| @@ -1,10 +1,10 @@ | |||
| # run directly from the repo root directory | |||
| # docker build -f ./apps/webapp/Dockerfile . | |||
| FROM node:20-alpine AS base | |||
| FROM node:20-alpine3.21 AS base | |||
There was a problem hiding this comment.
🧹 Nitpick (assertive)
LGTM! Base image update and OpenSSL addition.
The changes appropriately address the OpenSSL dependency issue by:
- Updating to node:20-alpine3.21
- Adding OpenSSL package in all stages
Consider pinning package versions for better reproducibility:
-RUN apk add --no-cache libc6-compat openssl
+RUN apk add --no-cache libc6-compat=1.2.4-r2 openssl=3.1.4-r2Also applies to: 7-7, 26-26
| @@ -63,5 +61,4 @@ | |||
| COPY --from=builder ./app/out/full/ . | |||
| RUN pnpm run build | |||
|
|
|||
| CMD cd /app/apps/webapp/ && pnpm run start | |||
|
|
|||
| CMD cd /app/apps/webapp/ && pnpm run start | |||
There was a problem hiding this comment.
🧹 Nitpick (assertive)
Improve CMD instruction format.
Use JSON array notation for CMD as recommended by Docker best practices:
-CMD cd /app/apps/webapp/ && pnpm run start
+CMD ["sh", "-c", "cd /app/apps/webapp/ && pnpm run start"]📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| CMD cd /app/apps/webapp/ && pnpm run start | |
| CMD ["sh", "-c", "cd /app/apps/webapp/ && pnpm run start"] |
🧰 Tools
🪛 Hadolint (2.12.0)
[warning] 64-64: Use arguments JSON notation for CMD and ENTRYPOINT arguments
(DL3025)
| @@ -1,9 +1,9 @@ | |||
| # run directly from the repo root directory | |||
| # docker build -f ./packages/api/Dockerfile . | |||
| FROM node:20-alpine AS base | |||
| FROM node:20-alpine3.21 AS base | |||
There was a problem hiding this comment.
🧹 Nitpick (assertive)
LGTM! Consistent base image update and package additions.
The changes appropriately mirror the webapp Dockerfile changes and include OpenSSL in all stages, including the runner stage.
Consider pinning package versions for better reproducibility:
-RUN apk add --no-cache libc6-compat openssl
+RUN apk add --no-cache libc6-compat=1.2.4-r2 openssl=3.1.4-r2
# For runner stage
-RUN apk add --no-cache libc6-compat netcat-openbsd curl openssl
+RUN apk add --no-cache libc6-compat=1.2.4-r2 netcat-openbsd=1.130-r4 curl=8.5.0-r0 openssl=3.1.4-r2Also applies to: 6-6, 22-22, 45-45
Updating docker base image following as base image does not include openssl anymore
Details:
nodejs/docker-node#2175
prisma/prisma#25817
Summary by CodeRabbit
New Features
Bug Fixes
Chores
opensslto various Dockerfiles.Refactor