fix(security): upgrade pnpm and AWS SDK to fix vulnerabilities (#7192)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

apps/web/.eslintrc.js

@@ -1,20 +1,4 @@
 module.exports = {
   extends: ["@formbricks/eslint-config/legacy-next.js"],
   ignorePatterns: ["**/package.json", "**/tsconfig.json"],
-  overrides: [
-    {
-      files: ["locales/*.json"],
-      plugins: ["i18n-json"],
-      rules: {
-        "i18n-json/identical-keys": [
-          "error",
-          {
-            filePath: require("path").join(__dirname, "locales", "en-US.json"),
-            checkExtraKeys: false,
-            checkMissingKeys: true,
-          },
-        ],
-      },
-    },
-  ],
 };

apps/web/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22-alpine3.22 AS base
+FROM node:24-alpine3.23 AS base
 
 #
 ## step 1: Prune monorepo
@@ -20,7 +20,7 @@ FROM base AS installer
 # Enable corepack and prepare pnpm
 RUN npm install --ignore-scripts -g corepack@latest 
 RUN corepack enable
-RUN corepack prepare pnpm@9.15.9 --activate
+RUN corepack prepare pnpm@10.28.2 --activate
 
 # Install necessary build tools and compilers
 RUN apk update && apk add --no-cache cmake g++ gcc jq make openssl-dev python3
@@ -69,20 +69,14 @@ RUN --mount=type=secret,id=database_url \
     --mount=type=secret,id=sentry_auth_token \
     /tmp/read-secrets.sh pnpm build --filter=@formbricks/web...
 
-# Extract Prisma version
-RUN jq -r '.devDependencies.prisma' packages/database/package.json > /prisma_version.txt
-
 #
 ## step 3: setup production runner
 #
 FROM base AS runner
 
-RUN npm install --ignore-scripts -g corepack@latest && \
-    corepack enable
-
-RUN apk add --no-cache curl \
-    && apk add --no-cache supercronic \
-    # && addgroup --system --gid 1001 nodejs \
+# Update npm to latest, then create user
+# Note: npm's bundled tar has a known vulnerability but npm is only used during build, not at runtime
+RUN npm install --ignore-scripts -g npm@latest \
     && addgroup -S nextjs \
     && adduser -S -u 1001 -G nextjs nextjs
 
@@ -113,15 +107,13 @@ RUN chown nextjs:nextjs ./packages/database/schema.prisma && chmod 644 ./package
 COPY --from=installer /app/packages/database/dist ./packages/database/dist
 RUN chown -R nextjs:nextjs ./packages/database/dist && chmod -R 755 ./packages/database/dist
 
+# Copy prisma client packages
 COPY --from=installer /app/node_modules/@prisma/client ./node_modules/@prisma/client
 RUN chown -R nextjs:nextjs ./node_modules/@prisma/client && chmod -R 755 ./node_modules/@prisma/client
 
 COPY --from=installer /app/node_modules/.prisma ./node_modules/.prisma
 RUN chown -R nextjs:nextjs ./node_modules/.prisma && chmod -R 755 ./node_modules/.prisma
 
-COPY --from=installer /prisma_version.txt .
-RUN chown nextjs:nextjs ./prisma_version.txt && chmod 644 ./prisma_version.txt
-
 COPY --from=installer /app/node_modules/@paralleldrive/cuid2 ./node_modules/@paralleldrive/cuid2
 RUN chmod -R 755 ./node_modules/@paralleldrive/cuid2
 
@@ -134,7 +126,9 @@ RUN chmod -R 755 ./node_modules/@noble/hashes
 COPY --from=installer /app/node_modules/zod ./node_modules/zod
 RUN chmod -R 755 ./node_modules/zod
 
-RUN npm install -g prisma@6
+# Install prisma CLI globally for database migrations and fix permissions for nextjs user
+RUN npm install --ignore-scripts -g prisma@6 \
+    && chown -R nextjs:nextjs /usr/local/lib/node_modules/prisma
 
 # Create a startup script to handle the conditional logic
 COPY --from=installer /app/apps/web/scripts/docker/next-start.sh /home/nextjs/start.sh
@@ -144,10 +138,8 @@ EXPOSE 3000
 ENV HOSTNAME="0.0.0.0"
 USER nextjs
 
-# Prepare pnpm as the nextjs user to ensure it's available at runtime
 # Prepare volumes for uploads and SAML connections
-RUN corepack prepare pnpm@9.15.9 --activate && \
-    mkdir -p /home/nextjs/apps/web/uploads/ && \
+RUN mkdir -p /home/nextjs/apps/web/uploads/ && \
     mkdir -p /home/nextjs/apps/web/saml-connection
 
 VOLUME /home/nextjs/apps/web/uploads/

apps/web/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@formbricks/web",
   "version": "0.0.0",
-  "packageManager": "pnpm@9.15.9",
+  "packageManager": "pnpm@10.28.2",
   "private": true,
   "scripts": {
     "clean": "rimraf .turbo node_modules .next coverage",
@@ -19,9 +19,9 @@
     "i18n:generate": "npx lingo.dev@latest run && npx lingo.dev@latest lockfile --force"
   },
   "dependencies": {
-    "@aws-sdk/client-s3": "3.879.0",
-    "@aws-sdk/s3-presigned-post": "3.879.0",
-    "@aws-sdk/s3-request-presigner": "3.879.0",
+    "@aws-sdk/client-s3": "3.971.0",
+    "@aws-sdk/s3-presigned-post": "3.971.0",
+    "@aws-sdk/s3-request-presigner": "3.971.0",
     "@boxyhq/saml-jackson": "1.52.2",
     "@dnd-kit/core": "6.3.1",
     "@dnd-kit/modifiers": "9.0.0",

package.json

@@ -73,9 +73,9 @@
     ]
   },
   "engines": {
-    "node": ">=16.0.0"
+    "node": ">=20.0.0"
   },
-  "packageManager": "pnpm@9.15.9",
+  "packageManager": "pnpm@10.28.2",
   "nextBundleAnalysis": {
     "budget": 358400,
     "budgetPercentIncreaseRed": 20,
@@ -90,10 +90,12 @@
       "tar-fs": "2.1.4",
       "typeorm": ">=0.3.26",
       "systeminformation": "5.27.14",
-      "qs": ">=6.14.1"
+      "qs": ">=6.14.1",
+      "fast-xml-parser": ">=5.3.4",
+      "diff": ">=8.0.3"
     },
     "comments": {
-      "overrides": "Security fixes for transitive dependencies. Remove when upstream packages update: axios (CVE-2025-58754) - awaiting @boxyhq/saml-jackson update | node-forge (Dependabot #230) - awaiting @boxyhq/saml-jackson update | tar-fs (Dependabot #205) - awaiting upstream dependency updates | typeorm (Dependabot #223) - awaiting @boxyhq/saml-jackson update | systeminformation (Dependabot #241) - awaiting @opentelemetry/host-metrics update | qs (Dependabot #245) - awaiting googleapis-common and stripe updates"
+      "overrides": "Security fixes for transitive dependencies. Remove when upstream packages update: axios (CVE-2025-58754) - awaiting @boxyhq/saml-jackson update | node-forge (Dependabot #230) - awaiting @boxyhq/saml-jackson update | tar-fs (Dependabot #205) - awaiting upstream dependency updates | typeorm (Dependabot #223) - awaiting @boxyhq/saml-jackson update | systeminformation (Dependabot #241) - awaiting @opentelemetry/host-metrics update | qs (Dependabot #245) - awaiting googleapis-common and stripe updates | fast-xml-parser (Dependabot #270) - awaiting @boxyhq/saml-jackson update | diff (Dependabot #269) - awaiting @microsoft/api-extractor update"
     },
     "patchedDependencies": {
       "next-auth@4.24.12": "patches/next-auth@4.24.12.patch"

packages/config-eslint/package.json

@@ -10,7 +10,6 @@
     "eslint-config-next": "15.3.2",
     "eslint-config-prettier": "10.1.5",
     "eslint-config-turbo": "2.5.3",
-    "eslint-plugin-i18n-json": "4.0.1",
     "eslint-plugin-react": "7.37.5",
     "eslint-plugin-react-hooks": "5.2.0",
     "eslint-plugin-react-refresh": "0.4.20",

packages/database/src/scripts/migration-runner.ts

@@ -170,7 +170,7 @@ const runSingleMigration = async (migration: MigrationScript, index: number): Pr
 
       // Run Prisma migrate
       // throws when migrate deploy fails
-      await execAsync(`pnpm prisma migrate deploy --schema="${PRISMA_SCHEMA_PATH}"`);
+      await execAsync(`prisma migrate deploy --schema="${PRISMA_SCHEMA_PATH}"`);
       logger.info(`Successfully applied schema migration: ${migration.name}`);
     } catch (err) {
       logger.error(err, `Schema migration ${migration.name} failed`);

packages/storage/package.json

@@ -37,9 +37,9 @@
   "author": "Formbricks <hola@formbricks.com>",
   "dependencies": {
     "@formbricks/logger": "workspace:*",
-    "@aws-sdk/client-s3": "3.879.0",
-    "@aws-sdk/s3-presigned-post": "3.879.0",
-    "@aws-sdk/s3-request-presigner": "3.879.0"
+    "@aws-sdk/client-s3": "3.971.0",
+    "@aws-sdk/s3-presigned-post": "3.971.0",
+    "@aws-sdk/s3-request-presigner": "3.971.0"
   },
   "devDependencies": {
     "@formbricks/config-typescript": "workspace:*",

pnpm-workspace.yaml

@@ -1,3 +1,12 @@
 packages:
   - "apps/*"
   - "packages/*"
+
+# Allow lifecycle scripts for packages that need to build native binaries
+# Required for pnpm v10+ which blocks scripts by default
+onlyBuiltDependencies:
+  - sharp
+  - esbuild
+  - prisma
+  - "@prisma/client"
+  - "@prisma/engines"