From c6f947a2ff1d97399f92cde68d5c4b9cee998263 Mon Sep 17 00:00:00 2001
From: Matti Nannt <matti@formbricks.com>
Date: Tue, 3 Feb 2026 13:35:32 +0100
Subject: [PATCH] fix(security): revert to npm global prisma install and fix
 npm tar vulnerability

- Revert from copying prisma CLI (missing dependencies like effect, c12)
  back to npm install -g prisma@6 which includes all dependencies
- Fix npm's bundled tar vulnerability by updating tar@latest after npm install
- Simplify @prisma copy to just @prisma/client (CLI comes from global install)

The copy approach failed because prisma CLI has many transitive dependencies
(effect, c12, deepmerge-ts, etc.) that aren't nested in node_modules/prisma
due to pnpm's flat structure.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/web/Dockerfile | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index c3e52bf30d..1cabb71b58 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -74,8 +74,9 @@ RUN --mount=type=secret,id=database_url \
 #
 FROM base AS runner
 
-# Update npm to latest to fix vulnerabilities in bundled tar package, then create user
+# Update npm to latest and fix tar vulnerability in npm's bundled dependencies, then create user
 RUN npm install --ignore-scripts -g npm@latest \
+    && cd /usr/local/lib/node_modules/npm && npm install --ignore-scripts tar@latest \
     && addgroup -S nextjs \
     && adduser -S -u 1001 -G nextjs nextjs
 
@@ -106,9 +107,9 @@ RUN chown nextjs:nextjs ./packages/database/schema.prisma && chmod 644 ./package
 COPY --from=installer /app/packages/database/dist ./packages/database/dist
 RUN chown -R nextjs:nextjs ./packages/database/dist && chmod -R 755 ./packages/database/dist
 
-# Copy all @prisma packages (client, engines, config needed for CLI)
-COPY --from=installer /app/node_modules/@prisma ./node_modules/@prisma
-RUN chown -R nextjs:nextjs ./node_modules/@prisma && chmod -R 755 ./node_modules/@prisma
+# Copy prisma client packages
+COPY --from=installer /app/node_modules/@prisma/client ./node_modules/@prisma/client
+RUN chown -R nextjs:nextjs ./node_modules/@prisma/client && chmod -R 755 ./node_modules/@prisma/client
 
 COPY --from=installer /app/node_modules/.prisma ./node_modules/.prisma
 RUN chown -R nextjs:nextjs ./node_modules/.prisma && chmod -R 755 ./node_modules/.prisma
@@ -125,12 +126,8 @@ RUN chmod -R 755 ./node_modules/@noble/hashes
 COPY --from=installer /app/node_modules/zod ./node_modules/zod
 RUN chmod -R 755 ./node_modules/zod
 
-# Copy prisma CLI from installer (uses pnpm overrides for security patches)
-COPY --from=installer /app/node_modules/prisma ./node_modules/prisma
-RUN chmod -R 755 ./node_modules/prisma
-
-# Create prisma symlink so 'prisma' command is available globally
-RUN ln -s /home/nextjs/node_modules/prisma/build/index.js /usr/local/bin/prisma
+# Install prisma CLI globally for database migrations
+RUN npm install --ignore-scripts -g prisma@6
 
 # Create a startup script to handle the conditional logic
 COPY --from=installer /app/apps/web/scripts/docker/next-start.sh /home/nextjs/start.sh