From 8dadef091ba9a53f13746f9b755abcb7b380c599 Mon Sep 17 00:00:00 2001 From: Akpolo Ogagaoghene Prince Date: Mon, 1 Jun 2026 22:03:04 +0100 Subject: [PATCH] fix(backend): drop package-lock.json from production image to clear false Trivy critical MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Deploy Staging Trivy CRITICAL gate fails on a handlebars advisory. handlebars is a devDependency and the production stage installs prod-only deps (npm ci --omit=dev), so it is never actually present in the image. The failure comes from package-lock.json: it is copied in for npm ci and then left behind, and Trivy reads the lockfile's full dependency tree — including devDependencies — and reports their advisories against the image. Remove the lockfile after install. It is a build-time artifact with no runtime purpose, and dropping it makes the scan reflect what is actually installed (production dependencies only). The remaining axios advisories are HIGH, which the warn-only step reports without failing the build. --- backend/Dockerfile | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index 8cb72846..26d5e925 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -18,9 +18,12 @@ FROM node:22-alpine AS production WORKDIR /app -# Install only production dependencies +# Install only production dependencies. Drop the lockfile afterwards: it is a +# build-time artifact, not needed at runtime, and if left in the image the +# container scanner reads it and reports devDependency advisories (e.g. a +# critical in handlebars) for packages that are never actually installed here. COPY package*.json ./ -RUN npm ci --omit=dev +RUN npm ci --omit=dev && rm -f package-lock.json # Copy compiled output from builder COPY --from=builder /app/dist ./dist