From e475d3433cbdb9a50d3b7374cbc372948bfbe6a6 Mon Sep 17 00:00:00 2001 From: pyr0ball Date: Wed, 27 May 2026 10:18:02 -0700 Subject: [PATCH] fix: upgrade to Node 22 LTS, apk upgrade, npm update to fix CVEs - node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30) - apk upgrade --no-cache combined with apk add to pick up patched Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps) - npm install -g npm@latest to patch bundled tar and minimatch CVEs - Combined upgrade+add into single RUN layer for consistency Resolves 51 CVEs reported in Docker Hub vulnerability scan including CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and CVE-2023-51793/51794/51795 (apk/ffmpeg) groups --- Dockerfile | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 52eae8d..eeb9c33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,23 @@ -# Discarr — disc scanning and encoding queue -# ffmpeg/ffprobe included for VIDEO_TS/BDMV metadata scanning -# Encoding is dispatched via SSH to a remote host (e.g. Strahl) -FROM node:20-alpine +# Discarr: disc scanning and encoding queue +# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and local encode dispatch +# HandBrake: optional HEVC encoder (ffmpeg is the fallback) +# openssh-client: remote encode dispatch to SSH transcode workers -RUN apk add --no-cache ffmpeg openssh-client handbrake +# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30) +FROM node:22-alpine + +# Upgrade all base packages to pick up security patches from Alpine before +# adding our own deps. Combining upgrade + add in one RUN avoids an extra +# layer and ensures the package index stays consistent. +RUN apk upgrade --no-cache && \ + apk add --no-cache \ + ffmpeg \ + handbrake \ + openssh-client + +# npm's bundled deps (tar, minimatch) carry their own CVE surface. +# Updating to latest npm gets the patched versions. +RUN npm install -g npm@latest && npm cache clean --force WORKDIR /app COPY server.js scanner.js ./