From 93afa60b4fbf8824736f823bfd6d58743b21d867 Mon Sep 17 00:00:00 2001 From: pyr0ball Date: Wed, 27 May 2026 10:36:38 -0700 Subject: [PATCH] fix: switch to node:22-bookworm-slim (Debian) base for better CVE coverage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months (CVE-2023-51793/94/95/98) that Debian's security team backported patches for in ffmpeg 5.1.9-0+deb12u1. Changes: - Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched) - Dockerfile.handbrake: same base, adds handbrake-cli - CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0 - CVE-2025-52194 (libsndfile): Debian marked not reproducible - CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead). ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding. --- Dockerfile | 25 ++++++++++++++----------- Dockerfile.handbrake | 19 +++++++++++-------- 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4265d10..5e1526b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,20 +2,23 @@ # ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch # openssh-client: remote encode dispatch to SSH transcode workers # -# HandBrake is NOT included in this image — ffmpeg handles encoding by default. -# If you need HandBrake (preset system, forced-subtitle burn-in), use the -# handbrake variant: pyr0ball/discarr:handbrake -# Or install HandBrake natively via: sudo bash install.sh +# Base: node:22-bookworm-slim (Debian bookworm) +# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's +# community ffmpeg package has had several high CVEs open for 12+ months. +# +# HandBrake is NOT included — ffmpeg handles encoding by default. +# For HandBrake presets or forced-subtitle burn-in, use: +# pyr0ball/discarr:handbrake (or build from Dockerfile.handbrake) +# Or install natively: sudo bash install.sh -# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30) -FROM node:22-alpine +FROM node:22-bookworm-slim -# Upgrade all base packages first to pick up Alpine security patches, -# then add runtime dependencies in the same layer. -RUN apk upgrade --no-cache && \ - apk add --no-cache \ +# Install ffmpeg and openssh-client, then clean apt lists +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ ffmpeg \ - openssh-client + openssh-client && \ + rm -rf /var/lib/apt/lists/* # Update npm to patch bundled tar/minimatch CVEs RUN npm install -g npm@latest && npm cache clean --force diff --git a/Dockerfile.handbrake b/Dockerfile.handbrake index 01e2806..71d84fa 100644 --- a/Dockerfile.handbrake +++ b/Dockerfile.handbrake @@ -1,18 +1,21 @@ -# Discarr — HandBrake variant +# Discarr — HandBrake variant (Debian bookworm base) # Includes HandBrake for preset-based encoding and forced-subtitle burn-in. -# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x, -# which increases the CVE surface area compared to the default image. +# +# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x. +# The CVE profile is better than Alpine (Debian backports patches) but the +# HandBrake binary and its ffmpeg libs add surface area vs the default image. # Use this variant only if you specifically need HandBrake features. # # Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake . -FROM node:22-alpine +FROM node:22-bookworm-slim -RUN apk upgrade --no-cache && \ - apk add --no-cache \ +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ ffmpeg \ - handbrake \ - openssh-client + handbrake-cli \ + openssh-client && \ + rm -rf /var/lib/apt/lists/* RUN npm install -g npm@latest && npm cache clean --force