pyr0ball
93afa60b4f
Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months (CVE-2023-51793/94/95/98) that Debian's security team backported patches for in ffmpeg 5.1.9-0+deb12u1. Changes: - Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched) - Dockerfile.handbrake: same base, adds handbrake-cli - CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0 - CVE-2025-52194 (libsndfile): Debian marked not reproducible - CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead). ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.
31 lines
1 KiB
Docker
31 lines
1 KiB
Docker
# Discarr: disc scanning and encoding queue
|
|
# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
|
|
# openssh-client: remote encode dispatch to SSH transcode workers
|
|
#
|
|
# Base: node:22-bookworm-slim (Debian bookworm)
|
|
# Debian's security team backports ffmpeg CVE patches to 5.1.x; Alpine's
|
|
# community ffmpeg package has had several high CVEs open for 12+ months.
|
|
#
|
|
# HandBrake is NOT included — ffmpeg handles encoding by default.
|
|
# For HandBrake presets or forced-subtitle burn-in, use:
|
|
# pyr0ball/discarr:handbrake (or build from Dockerfile.handbrake)
|
|
# Or install natively: sudo bash install.sh
|
|
|
|
FROM node:22-bookworm-slim
|
|
|
|
# Install ffmpeg and openssh-client, then clean apt lists
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends \
|
|
ffmpeg \
|
|
openssh-client && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# Update npm to patch bundled tar/minimatch CVEs
|
|
RUN npm install -g npm@latest && npm cache clean --force
|
|
|
|
WORKDIR /app
|
|
COPY server.js scanner.js ./
|
|
COPY public/ ./public/
|
|
|
|
EXPOSE 8603
|
|
CMD ["node", "server.js"]
|