From 0ab8dae6695575c4a03835356641f30190e8f51a Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Tue, 14 Apr 2026 23:51:42 +0000
Subject: [PATCH] fix: remediate high-severity CVEs in Docker images

- Add apk upgrade to frontend Dockerfile (build + prod stages)
- Add apk upgrade to auth Dockerfile (build + runtime stages)
- Add apt-get upgrade to api Dockerfile (build + prod stages)
- Add apt-get upgrade to receiptwitness Dockerfile (build + prod stages)
- Run npm audit fix for frontend and auth dependencies

Refs: CAR-616
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 0b92e95..9f2762b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
 # Stage 1: Build
 FROM node:20-alpine AS build
-
+RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 
 COPY package.json package-lock.json ./
@@ -11,6 +11,9 @@ RUN npm run build
 
 # Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
 FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
+USER root
+RUN apk update && apk upgrade --no-cache
+USER 101
 
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf