pyr0ball
93afa60b4f
Alpine's community ffmpeg package had 4+ high CVEs open for 12+ months (CVE-2023-51793/94/95/98) that Debian's security team backported patches for in ffmpeg 5.1.9-0+deb12u1. Changes: - Dockerfile: node:22-bookworm-slim, apt-get ffmpeg (5.1.9 patched) - Dockerfile.handbrake: same base, adds handbrake-cli - CVE-2026-1837 (libjxl): not affected — bookworm ships libjxl 0.7.0 - CVE-2025-52194 (libsndfile): Debian marked not reproducible - CVE-2026-3099x (ffmpeg AV1): postponed everywhere, no fix available Tradeoff: image grows from ~300MB to ~677MB (Debian runtime overhead). ffmpeg 5.1.9 has full feature coverage for disc scanning and HEVC encoding.
27 lines
880 B
Text
27 lines
880 B
Text
# Discarr — HandBrake variant (Debian bookworm base)
|
|
# Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
|
|
#
|
|
# NOTE: HandBrake on Debian pulls in libavcodec/libavfilter from ffmpeg 5.1.x.
|
|
# The CVE profile is better than Alpine (Debian backports patches) but the
|
|
# HandBrake binary and its ffmpeg libs add surface area vs the default image.
|
|
# Use this variant only if you specifically need HandBrake features.
|
|
#
|
|
# Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
|
|
|
|
FROM node:22-bookworm-slim
|
|
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends \
|
|
ffmpeg \
|
|
handbrake-cli \
|
|
openssh-client && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
RUN npm install -g npm@latest && npm cache clean --force
|
|
|
|
WORKDIR /app
|
|
COPY server.js scanner.js ./
|
|
COPY public/ ./public/
|
|
|
|
EXPOSE 8603
|
|
CMD ["node", "server.js"]
|