Commit f636b63
Claude Code Agent
fix(mafia-vue): switch runtime image to nginx:stable-alpine3.23-slim
ReARM flipped the previous 2026-05-gate-check.0 release to REJECTED
via the 'Reject on critical or high vulns' gate. Local 'npm audit'
on mafia-vue reports 0 high/critical (only 2 moderate), so the
vulns must be in the OS layer of nginx:1.29.7-trixie. Switching the
runtime stage to nginx:stable-alpine3.23-slim:
- Alpine 3.23 user-space is much smaller than Debian trixie's
- 'stable' nginx (1.28.x LTS) is fully patched as of 2026-05-20
- 'slim' variant drops the extra debug/perl/geoip modules we don't
use
App is a static SPA + a /socket.io proxy via default.conf.template.
The /etc/nginx/templates/ envsubst path, /usr/share/nginx/html
docroot, and chmod semantics are identical on alpine-slim vs trixie,
so no behaviour change. The build stage stays on node:24.14-trixie-
slim — the build-time bundler doesn't ship into the runtime image,
so its OS surface doesn't show up in the docker SBOM.
ReARM-Agentic-Session: gate-check-1779378001
ReARM-Agent: 324b2ca3-403e-4126-b353-4787140daa651 parent 81c40ab commit f636b63
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5 | 5 | | |
6 | 6 | | |
7 | 7 | | |
8 | | - | |
| 8 | + | |
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| |||
0 commit comments