Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months
(CVE-2023-51793/94/95/98) that Debian's security team backported patches
for in ffmpeg 5.1.9-0+deb12u1.
Changes:
- Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched)
- Dockerfile.handbrake: same base, adds handbrake-cli
- CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0
- CVE-2025-52194 (libsndfile): Debian marked not reproducible
- CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available
Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead).
ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.
Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg7 7.x,
doubling the ffmpeg CVE surface. HandBrake is optional (ffmpeg handles
encoding by default), so remove it from the default image.
- Dockerfile: ffmpeg + openssh-client only (removes ffmpeg7 family)
- Dockerfile.handbrake: new variant for users who need HandBrake presets
or forced-subtitle burn-in; carries the known higher CVE count
Docker Hub tags:
pyr0ball/discarr:latest / 0.1.2 — lean, ffmpeg only
pyr0ball/discarr:handbrake — includes HandBrake (more CVEs)
- node:20-alpine -> node:22-alpine (Node 20 EOL 2026-04-30)
- apk upgrade --no-cache combined with apk add to pick up patched
Alpine packages (ffmpeg 8.0.1, libjxl, and all transitive deps)
- npm install -g npm@latest to patch bundled tar and minimatch CVEs
- Combined upgrade+add into single RUN layer for consistency
Resolves 51 CVEs reported in Docker Hub vulnerability scan including
CVE-2026-23950, CVE-2026-26996 (npm/tar, npm/minimatch) and
CVE-2023-51793/51794/51795 (apk/ffmpeg) groups
