From ff3b6b16ec1191d443b2311b525f5f6ce2f495b6 Mon Sep 17 00:00:00 2001 From: Asher Foa Date: Fri, 13 Jun 2025 11:37:06 -0400 Subject: [PATCH] Replace insecure Node.js installation with package verification (#2623) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Dockerfile | 19 ++++++++++++------- nodesource-repo.gpg.key | 29 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 nodesource-repo.gpg.key diff --git a/Dockerfile b/Dockerfile index eea92789..c192f762 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,17 +15,22 @@ RUN pip install --upgrade pip setuptools wheel RUN pip install --no-cache-dir --upgrade -r requirements.txt RUN playwright install-deps RUN playwright install -RUN apt-get install -y xauth x11-apps netpbm curl && apt-get clean +RUN apt-get install -y xauth x11-apps netpbm gpg ca-certificates && apt-get clean COPY .nvmrc /app/.nvmrc -# Install Node.js based on .nvmrc version (without nvm) -RUN NODE_MAJOR=$(cut -d. -f1 < /app/.nvmrc) && \ - curl --fail --silent --show-error --location https://deb.nodesource.com/setup_${NODE_MAJOR}.x | bash - && \ +COPY nodesource-repo.gpg.key /tmp/nodesource-repo.gpg.key +RUN cat /tmp/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ + NODE_MAJOR=$(cut -d. -f1 < /app/.nvmrc) && \ + echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" >> /etc/apt/sources.list.d/nodesource.list && \ + apt-get update && \ apt-get install -y nodejs && \ - apt-get clean + apt-get clean && \ + rm -rf /var/lib/apt/lists/* && \ + rm /tmp/nodesource-repo.gpg.key && \ + # confirm installation + npm -v && node -v + -# confirm installation -RUN npm -v && node -v # install bitwarden cli RUN npm install -g @bitwarden/cli@2024.9.0 # checking bw version also initializes the bw config diff --git a/nodesource-repo.gpg.key b/nodesource-repo.gpg.key new file mode 100644 index 00000000..b7637b89 --- /dev/null +++ b/nodesource-repo.gpg.key @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B +hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM +Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32 +9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR +TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z +E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk +LWdwZ0Bub2Rlc291cmNlLmNvbT6JATgEEwECACIFAldDN1ACGwMGCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheAAAoJEC9ZtfmbG+C0y7wH/i4xnab36dtrYW7RZwL8i6Sc +NjMx4j9+U1kr/F6YtqWd+JwCbBdar5zRghxPcYEq/qf7MbgAYcs1eSOuTOb7n7+o +xUwdH2iCtHhKh3Jr2mRw1ks7BbFZPB5KmkxHaEBfLT4d+I91ZuUdPXJ+0SXs9gzk +Dbz65Uhoz3W03aiF8HeL5JNARZFMbHHNVL05U1sTGTCOtu+1c/33f3TulQ/XZ3Y4 +hwGCpLe0Tv7g7Lp3iLMZMWYPEa0a7S4u8he5IEJQLd8bE8jltcQvrdr3Fm8kI2Jg +BJmUmX4PSfhuTCFaR/yeCt3UoW883bs9LfbTzIx9DJGpRIu8Y0IL3b4sj/GoZVq5 +AQ0EV0M3UAEIAKrTaC62ayzqOIPa7nS90BHHck4Z33a2tZF/uof38xNOiyWGhT8u +JeFoTTHn5SQq5Ftyu4K3K2fbbpuu/APQF05AaljzVkDGNMW4pSkgOasdysj831cu +ssrHX2RYS22wg80k6C/Hwmh5F45faEuNxsV+bPx7oPUrt5n6GMx84vEP3i1+FDBi +0pt/B/QnDFBXki1BGvJ35f5NwDefK8VaInxXP3ZN/WIbtn5dqxppkV/YkO7GiJlp +Jlju9rf3kKUIQzKQWxFsbCAPIHoWv7rH9RSxgDithXtG6Yg5R1aeBbJaPNXL9wpJ +YBJbiMjkAFaz4B95FOqZm3r7oHugiCGsHX0AEQEAAYkBHwQYAQIACQUCV0M3UAIb +DAAKCRAvWbX5mxvgtE/OB/0VN88DR3Y3fuqy7lq/dthkn7Dqm9YXdorZl3L152eE +IF882aG8FE3qZdaLGjQO4oShAyNWmRfSGuoH0XERXAI9n0r8m4mDMxE6rtP7tHet +y/5M8x3CTyuMgx5GLDaEUvBusnTD+/v/fBMwRK/cZ9du5PSG4R50rtst+oYyC2ao +x4I2SgjtF/cY7bECsZDplzatN3gv34PkcdIg8SLHAVlL4N5tzumDeizRspcSyoy2 +K2+hwKU4C4+dekLLTg8rjnRROvplV2KtaEk6rxKtIRFDCoQng8wfJuIMrDNKvqZw +FRGt7cbvW5MCnuH8MhItOl9Uxp1wHp6gtav/h8Gp6MBa +=MARt +-----END PGP PUBLIC KEY BLOCK-----