Skip to content

Improve Dockerfile security, layering, and dev/prod parity#6882

Open
compwron wants to merge 2 commits intomainfrom
dockerfile-fixes-2026-04-23
Open

Improve Dockerfile security, layering, and dev/prod parity#6882
compwron wants to merge 2 commits intomainfrom
dockerfile-fixes-2026-04-23

Conversation

@compwron
Copy link
Copy Markdown
Collaborator

@compwron compwron commented Apr 24, 2026

Summary

  • Non-root user: app now runs as a dedicated app user instead of root
  • Remove vim from production image (attack surface reduction)
  • Fix ARG ROOT: remove the no-op global declaration; each stage now carries its own default value
  • Layer cache improvement: package*.json is copied and npm ci runs before COPY . ., so source changes don't bust the npm install layer
  • npm symlink fix: replaced fragile ln -s into node_modules internals with COPY --from=node-source /usr/local/bin/npm
  • apk cache cleanup added to the build stage (was missing, present in final stage)
  • Dev/prod Ruby parity: devcontainer updated from ruby:dev-3.3-bookwormruby:dev-4.0-bookworm to match production

Test plan

  • docker build . completes without errors
  • docker run starts Rails server and responds on port 3000
  • Verify whoami inside container returns app (not root)
  • Devcontainer opens successfully in VS Code with Ruby 4.0

🤖 Generated with Claude Code

@compwron @claude
Improve Dockerfile security, layering, and dev/prod parity
7082c29 
- Run app as non-root user (addgroup/adduser + USER app)
- Remove vim from production image
- Fix ARG ROOT: remove no-op global declaration, add default per-stage
- Copy package*.json before COPY . . to improve npm layer caching
- Replace fragile npm symlink with direct COPY from node-source
- Add apk cache cleanup to build stage
- Align devcontainer Ruby version with production (3.3 → 4.0)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions github-actions Bot added the dependencies Pull requests that update a dependency file label Apr 24, 2026
@compwron @claude
Fix npm cli resolution: revert to symlink over direct COPY
d469d6d 
COPY resolves the file to /usr/local/bin/npm, so Node sets __dirname
to /usr/local/bin/ and require('../lib/cli.js') in npm-cli.js points
to /usr/local/lib/cli.js (missing). A symlink keeps the real file at
/usr/local/lib/node_modules/npm/bin/npm-cli.js so __dirname resolves
correctly and the relative require works.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FireLemons FireLemons Awaiting requested review from FireLemons FireLemons is a code owner

@elasticspoon elasticspoon Awaiting requested review from elasticspoon elasticspoon is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@compwron