Audit finding from #474 (commit 958e1ec)
Severity: low
Category: dependencies / supply chain / CI
File: docker/web.Dockerfile:4
Obvious fix: yes
Description
docker/web.Dockerfile runs cargo install trunk w/ no version pin. Each docker rebuild fetches latest trunk from crates.io. Compromised or buggy trunk release auto-pulled into WASM build pipeline.
# docker/web.Dockerfile:1-7
FROM rust:1.95-slim-bookworm@sha256:caaf9... AS builder
RUN rustup target add wasm32-unknown-unknown
RUN cargo install trunk # ← unpinned, no --locked
WORKDIR /build
COPY . .
RUN cd crates/web && trunk build --release
Sibling of closed #319 (DEP-12). #319 fixed .github/workflows/deploy.yml (now uses taiki-e/install-action@cf525cb... w/ trunk@0.21.14). Docker pipeline missed: docker compose up, just docker-build, anyone running stack via docker still hits unpinned path.
Impact / Threat
Compromised trunk release reaches container image; build outputs non-reproducible across re-runs of same commit. Lower blast than #319 (Linode prod uses local cargo build + scp, not docker), but still affects:
- contributors running
just docker-build / just docker-up
- any deploy that adopts docker image as artifact (CI matrix, future production swap)
Suggested fix
Pin to same version as deploy.yml:
RUN cargo install trunk --version 0.21.14 --locked
Or better, mirror deploy.yml pattern: install trunk binary from GitHub release (avoids cargo install compile path entirely).
Verify
grep -n 'cargo install trunk' docker/web.Dockerfile
# docker/web.Dockerfile:4:RUN cargo install trunk
# After fix, expect: cargo install trunk --version 0.21.14 --locked
Cross-ref
Audit finding from #474 (commit 958e1ec)
Severity: low
Category: dependencies / supply chain / CI
File:
docker/web.Dockerfile:4Obvious fix: yes
Description
docker/web.Dockerfilerunscargo install trunkw/ no version pin. Each docker rebuild fetches latest trunk from crates.io. Compromised or buggy trunk release auto-pulled into WASM build pipeline.Sibling of closed #319 (DEP-12). #319 fixed
.github/workflows/deploy.yml(now usestaiki-e/install-action@cf525cb...w/trunk@0.21.14). Docker pipeline missed:docker compose up,just docker-build, anyone running stack via docker still hits unpinned path.Impact / Threat
Compromised trunk release reaches container image; build outputs non-reproducible across re-runs of same commit. Lower blast than #319 (Linode prod uses local
cargo build+ scp, not docker), but still affects:just docker-build/just docker-upSuggested fix
Pin to same version as
deploy.yml:RUN cargo install trunk --version 0.21.14 --lockedOr better, mirror deploy.yml pattern: install trunk binary from GitHub release (avoids
cargo installcompile path entirely).Verify
Cross-ref
trunkversion (cargo install trunk --locked) #319 (DEP-12) — sibling, deploy.yml scope, closed via c468c04rust:latest/rust:slim/nginx:alpinetags #313) — docker base-image pinning, landed via c479670 (this PR pinned base-images by digest but missedcargo install trunkinside)