From 9ffe5d17529b0f04f3c0f6f9a49d57c8c57bad9a Mon Sep 17 00:00:00 2001 From: Brendan Kellam Date: Tue, 14 Apr 2026 19:01:46 -0700 Subject: [PATCH] chore: remove unused npm and clean up ctags build artifacts in Docker image The Node.js base image bundles npm with transitive dependencies (minimatch, tar, picomatch) that Trivy flags as vulnerable. Since we use Yarn exclusively, npm is never invoked at runtime. Removing it eliminates these false positives and reduces image size. Also clean up the ctags source tree left in /tmp after the install script runs (~109MB of build artifacts). Co-Authored-By: Claude Opus 4.6 (1M context) --- Dockerfile | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0e68b3889..37002b0ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -183,6 +183,16 @@ ENV SOURCEBOT_LOG_LEVEL=info RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip && \ apk upgrade --no-cache +# Remove npm (unused — we use Yarn). The Node.js base image bundles npm +# with its own transitive dependencies (minimatch, tar, picomatch, etc.) +# that Trivy flags as vulnerable. Since npm is never invoked at runtime, +# removing it eliminates these false positives and reduces image size. +RUN rm -rf /usr/local/lib/node_modules/npm && \ + rm -rf /usr/local/bin/npm && \ + rm -rf /usr/local/bin/npx && \ + rm -rf /root/.npm && \ + rm -rf /root/.node-gyp + ARG UID=1500 ARG GID=1500 @@ -202,7 +212,9 @@ COPY .yarn ./.yarn # Configure zoekt COPY vendor/zoekt/install-ctags-alpine.sh . -RUN ./install-ctags-alpine.sh && rm install-ctags-alpine.sh +RUN ./install-ctags-alpine.sh && rm install-ctags-alpine.sh && \ + # Clean up ctags build artifacts + rm -rf /tmp/* RUN mkdir -p ${DATA_CACHE_DIR} COPY --from=zoekt-builder \ /cmd/zoekt-git-index \