Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions autoadmin-ws-server/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
FROM node:22-alpine AS builder
FROM node:24-alpine AS builder

WORKDIR /app

COPY package.json yarn.lock ./
RUN yarn install --frozen-lockfile
RUN yarn install
Comment on lines 5 to +6

Copilot AI Feb 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Docker build context only copies package.json and yarn.lock, but this yarn.lock is Yarn Berry-style (has __metadata). Without copying a .yarnrc.yml/.yarn (or using corepack + a packageManager field), yarn install may run Yarn classic and fail to parse the lockfile or install with the wrong linker (PnP vs node-modules). Pin and activate the intended Yarn version and ensure node-modules linking for runtime resolution.

Copilot uses AI. Check for mistakes.

Copilot AI Feb 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep Docker builds reproducible, use Yarn's lockfile-enforcing mode (e.g., --immutable) for installs. Dropping --frozen-lockfile means the image build can silently modify the dependency tree when the lockfile and manifest drift.

Copilot uses AI. Check for mistakes.

COPY tsconfig.json ./
COPY src ./src

RUN yarn build

FROM node:22-alpine
FROM node:24-alpine

WORKDIR /app

RUN addgroup -g 1001 -S nodejs && \
adduser -S nodejs -u 1001

COPY package.json yarn.lock ./
RUN yarn install --frozen-lockfile --production && yarn cache clean
RUN yarn install --production && yarn cache clean

Copilot AI Feb 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the builder stage: the production install should be lockfile-immutable as well. Otherwise the final runtime image can be built with a dependency graph that differs from what was tested/built in CI.

Suggested change
RUN yarn install --production && yarn cache clean
RUN yarn install --production --frozen-lockfile && yarn cache clean

Copilot uses AI. Check for mistakes.

COPY --from=builder /app/dist ./dist

Expand Down
8 changes: 4 additions & 4 deletions autoadmin-ws-server/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,16 @@
},
"dependencies": {
"@hono/node-server": "^1.19.9",
"hono": "^4.11.7",
"hono": "^4.11.9",
"jsonwebtoken": "^9.0.3",
"lru-cache": "^11.2.5",
"lru-cache": "^11.2.6",
"nanoid": "^5.1.6",
"pino": "^10.3.0",
"pino": "^10.3.1",
"ws": "^8.19.0",
"zod": "^4.3.6"
},
"devDependencies": {
"@biomejs/biome": "2.3.13",
"@biomejs/biome": "2.3.14",
Comment on lines 13 to +24

Copilot AI Feb 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This package uses a Yarn Berry lockfile format, but package.json doesn't declare a packageManager to tell Corepack which Yarn major to use. Adding packageManager (consistent with the repo's Yarn 3.4.1) would prevent yarn resolving to an incompatible Yarn 1.x in CI/Docker and makes installs deterministic.

Copilot uses AI. Check for mistakes.
"@types/jsonwebtoken": "^9.0.10",
"@types/node": "^22.10.2",
"@types/ws": "^8.18.1",
Expand Down
Loading
Loading