mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-02-05 02:58:36 -06:00
Code Issues Packages Projects Releases 123 Wiki Activity

fix(security): revert to npm global prisma install and fix npm tar vulnerability

Browse Source 
- Revert from copying prisma CLI (missing dependencies like effect, c12)
  back to npm install -g prisma@6 which includes all dependencies
- Fix npm's bundled tar vulnerability by updating tar@latest after npm install
- Simplify @prisma copy to just @prisma/client (CLI comes from global install)

The copy approach failed because prisma CLI has many transitive dependencies
(effect, c12, deepmerge-ts, etc.) that aren't nested in node_modules/prisma
due to pnpm's flat structure.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matti Nannt
2026-02-03 13:35:32 +01:00
parent 6dfb2c1663
commit c6f947a2ff
1 changed files with 7 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
apps/web/Dockerfile
View File

@@ -74,8 +74,9 @@ RUN --mount=type=secret,id=database_url \
#
FROM base AS runner
# Update npm to latest to fix vulnerabilities in bundled tar package, then create user
# Update npm to latest and fix tar vulnerability in npm's bundled dependencies, then create user
RUN npm install --ignore-scripts -g npm@latest \
&& cd /usr/local/lib/node_modules/npm && npm install --ignore-scripts tar@latest \
&& addgroup -S nextjs \
&& adduser -S -u 1001 -G nextjs nextjs
@@ -106,9 +107,9 @@ RUN chown nextjs:nextjs ./packages/database/schema.prisma && chmod 644 ./package
COPY --from=installer /app/packages/database/dist ./packages/database/dist
RUN chown -R nextjs:nextjs ./packages/database/dist && chmod -R 755 ./packages/database/dist
# Copy all @prisma packages (client, engines, config needed for CLI)
COPY --from=installer /app/node_modules/@prisma ./node_modules/@prisma
RUN chown -R nextjs:nextjs ./node_modules/@prisma && chmod -R 755 ./node_modules/@prisma
# Copy prisma client packages
COPY --from=installer /app/node_modules/@prisma/client ./node_modules/@prisma/client
RUN chown -R nextjs:nextjs ./node_modules/@prisma/client && chmod -R 755 ./node_modules/@prisma/client
COPY --from=installer /app/node_modules/.prisma ./node_modules/.prisma
RUN chown -R nextjs:nextjs ./node_modules/.prisma && chmod -R 755 ./node_modules/.prisma
@@ -125,12 +126,8 @@ RUN chmod -R 755 ./node_modules/@noble/hashes
COPY --from=installer /app/node_modules/zod ./node_modules/zod
RUN chmod -R 755 ./node_modules/zod
# Copy prisma CLI from installer (uses pnpm overrides for security patches)
COPY --from=installer /app/node_modules/prisma ./node_modules/prisma
RUN chmod -R 755 ./node_modules/prisma
# Create prisma symlink so 'prisma' command is available globally
RUN ln -s /home/nextjs/node_modules/prisma/build/index.js /usr/local/bin/prisma
# Install prisma CLI globally for database migrations
RUN npm install --ignore-scripts -g prisma@6
# Create a startup script to handle the conditional logic
COPY --from=installer /app/apps/web/scripts/docker/next-start.sh /home/nextjs/start.sh