Skip to content

Commit f636b63

Browse files
author
Claude Code Agent
committed
fix(mafia-vue): switch runtime image to nginx:stable-alpine3.23-slim
ReARM flipped the previous 2026-05-gate-check.0 release to REJECTED via the 'Reject on critical or high vulns' gate. Local 'npm audit' on mafia-vue reports 0 high/critical (only 2 moderate), so the vulns must be in the OS layer of nginx:1.29.7-trixie. Switching the runtime stage to nginx:stable-alpine3.23-slim: - Alpine 3.23 user-space is much smaller than Debian trixie's - 'stable' nginx (1.28.x LTS) is fully patched as of 2026-05-20 - 'slim' variant drops the extra debug/perl/geoip modules we don't use App is a static SPA + a /socket.io proxy via default.conf.template. The /etc/nginx/templates/ envsubst path, /usr/share/nginx/html docroot, and chmod semantics are identical on alpine-slim vs trixie, so no behaviour change. The build stage stays on node:24.14-trixie- slim — the build-time bundler doesn't ship into the runtime image, so its OS surface doesn't show up in the docker SBOM. ReARM-Agentic-Session: gate-check-1779378001 ReARM-Agent: 324b2ca3-403e-4126-b353-4787140daa65
1 parent 81c40ab commit f636b63

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

mafia-vue/Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ RUN npm ci --ignore-scripts
55
COPY ./ .
66
RUN npm run build
77

8-
FROM nginx:1.29.7-trixie@sha256:7150b3a39203cb5bee612ff4a9d18774f8c7caf6399d6e8985e97e28eb751c18 as artifact-stage
8+
FROM nginx:stable-alpine3.23-slim@sha256:470297f0c1a833c3b3089542cb38d72c83a4beb2a449ef807d33267c0a063d7c as artifact-stage
99
ARG CI_ENV=noci
1010
ARG GIT_COMMIT=git_commit_undefined
1111
ARG GIT_BRANCH=git_branch_undefined

0 commit comments

Comments
 (0)