-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.dev
More file actions
55 lines (44 loc) · 1.57 KB
/
Dockerfile.dev
File metadata and controls
55 lines (44 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Use specific version for reproducibility and security updates
FROM node:22.15.0-alpine
# Install security updates, build dependencies, and dumb-init for signal handling
RUN apk update && \
apk upgrade && \
apk add --no-cache \
dumb-init \
python3 \
make \
g++ \
curl \
ca-certificates && \
rm -rf /var/cache/apk/*
# Create non-root user with limited permissions
RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001
# Set working directory
WORKDIR /app
# Copy package files for dependency installation
COPY package.json package-lock.json ./
# Install dependencies with --ignore-scripts to prevent compromised packages
# from executing arbitrary code during install. Post-install scripts that are
# legitimately needed (e.g. native addon builds) must be explicitly run after.
RUN npm pkg delete scripts.prepare && \
npm ci --ignore-scripts && \
npm cache clean --force && \
rm -rf /root/.npm /root/.cache
# Rebuild native addons that need compilation (safe — runs node-gyp, not package scripts)
RUN npm rebuild
# Copy entrypoint script and source code
COPY --chown=nodejs:nodejs . .
# Switch to non-root user
USER nodejs
# Set secure environment variables
ENV NODE_ENV=development \
NPM_CONFIG_AUDIT=true \
NPM_CONFIG_FUND=false \
NPM_CONFIG_AUDIT_LEVEL=moderate
# Expose port
EXPOSE 9999
# Use dumb-init for proper signal handling — prevents zombie processes
# and ensures clean shutdown even if a dependency spawns child processes
ENTRYPOINT ["dumb-init", "--"]
CMD ["sh", "docker-entrypoint.sh"]