Revert "build(docker): Switch to Docker Hardened Images (DHI) (#214)"#215
Conversation
This reverts commit 8d4b5e2.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| FROM node:24.14.0 AS builder | ||
|
|
||
| WORKDIR /build | ||
|
|
||
| COPY package.json yarn.lock ./ | ||
| COPY package.json yarn.lock . | ||
| RUN yarn install --frozen-lockfile | ||
|
|
||
| COPY tsconfig.json . | ||
| COPY src src | ||
| RUN yarn build |
There was a problem hiding this comment.
Bug: The Dockerfile's builder stage lacks a WORKDIR instruction. The yarn build command will attempt to write to the root /lib directory, causing a build failure.
Severity: CRITICAL
Suggested Fix
Add a WORKDIR instruction to the builder stage of the Dockerfile to set a non-root working directory before running the build command. For example, add WORKDIR /build before the RUN yarn build step.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: Dockerfile#L1-L8
Potential issue: The builder stage in the `Dockerfile` is missing a `WORKDIR`
instruction. Consequently, the current working directory defaults to the root (`/`).
When `RUN yarn build` is executed, the TypeScript compiler (`tsc`) attempts to write its
output to the directory specified by `"outDir": "./lib"` in `tsconfig.json`. This
resolves to `/lib`, a protected system directory. The build process will fail due to
permission errors when trying to write to `/lib`, preventing the Docker image from being
created.
Did we get this right? 👍 / 👎 to inform future reviews.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
|
|
||
| WORKDIR /build | ||
|
|
||
| COPY package.json yarn.lock ./ |
There was a problem hiding this comment.
Missing WORKDIR causes build output in system directory
High Severity
The builder stage has no WORKDIR, so the default working directory is /. The TypeScript compiler (tsc) writes output to outDir: "./lib" (per tsconfig.json), which resolves to /lib. On modern Debian, /lib is a symlink to /usr/lib (a system directory), so compiled JS files land among system libraries. Then COPY --from=builder lib lib copies the entirety of /usr/lib — system shared libraries plus application code — into the runtime's /usr/src/app/lib, resulting in a massively bloated image with system files mixed into the application directory.
Additional Locations (1)
| - orchestrator=devservices | ||
| healthcheck: | ||
| test: ["CMD", "node", "-e", "fetch('http://127.0.0.1:9090/api/chartcuterie/healthcheck/live').then(r=>r.ok?0:1,()=>1).then(process.exit)"] | ||
| test: python3 -c "import urllib.request; urllib.request.urlopen(\"http://127.0.0.1:9090/api/chartcuterie/healthcheck/live\", timeout=5)" |
There was a problem hiding this comment.
Healthcheck uses python3 not available in image
Medium Severity
The healthcheck was reverted to use python3, but the runtime image (node:24.14.0-slim) does not include python3. The slim Node image and the installed apt packages (build-essential, libcairo2-dev, etc.) don't provide python3. This causes the healthcheck to always fail, preventing devservices from marking the container as healthy. The DHI version correctly used node for the healthcheck, which is guaranteed to be available.
2 participants
Reverts #214
Fonts were broken due to this change, hence the need for the revert.