fix(docker): patch picomatch 4.0.3 → 4.0.4 (CVE-2026-33671)
npm@11.12.1 still bundles picomatch@4.0.3. Add a find-loop after the npm upgrade to patch every occurrence in node_modules in place. Also restore and clean up the MCP server install and CVE patch blocks that were accidentally commented out. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
docker-claude
parent
a79aad9fc8
commit
12d75b0dc2
1 changed files with 32 additions and 23 deletions
|
|
@ -4,6 +4,16 @@ FROM node:24-alpine
|
|||
# CVEs: CVE-2024-21538, CVE-2025-64756, CVE-2026-26996/27903/27904, CVE-2026-23745/23950/24842/26960/29786/31802
|
||||
RUN npm install -g npm@11.12.1
|
||||
|
||||
# Fix CVE-2026-33671: upgrade picomatch 4.0.3 → 4.0.4 in every location it appears
|
||||
RUN find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \
|
||||
ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \
|
||||
[ "$ver" = "4.0.3" ] || continue; \
|
||||
echo "Patching picomatch in $dir"; \
|
||||
prefix=$(dirname "$(dirname "$dir")"); \
|
||||
npm install --prefix "$prefix" picomatch@4.0.4 \
|
||||
--no-save --no-audit --no-fund 2>/dev/null || true; \
|
||||
done
|
||||
|
||||
# Install runtime dependencies
|
||||
RUN apk add --no-cache \
|
||||
git \
|
||||
|
|
@ -29,30 +39,29 @@ COPY settings.json /etc/claude-code/managed-settings.json
|
|||
# Install Claude Code stable release
|
||||
RUN curl -fsSL https://claude.ai/install.sh | bash -s stable
|
||||
|
||||
|
||||
# Install MCP servers globally — entry points land in /usr/local/lib/node_modules/
|
||||
# RUN npm install -g \
|
||||
# @modelcontextprotocol/server-github \
|
||||
# @yoda.digital/gitlab-mcp-server \
|
||||
# @aashari/mcp-server-atlassian-jira \
|
||||
# @aashari/mcp-server-atlassian-confluence
|
||||
#
|
||||
# # Patch transitive CVEs bundled inside MCP server node_modules:
|
||||
# # CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
|
||||
# # CVE-2026-33671 — picomatch <4.0.4
|
||||
# RUN for pkg_dir in \
|
||||
# /usr/local/lib/node_modules/@modelcontextprotocol/server-github \
|
||||
# /usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
|
||||
# /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \
|
||||
# /usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \
|
||||
# [ -d "$pkg_dir" ] && \
|
||||
# cd "$pkg_dir" && \
|
||||
# npm install --no-audit --no-fund \
|
||||
# @modelcontextprotocol/sdk@1.25.2 \
|
||||
# picomatch@4.0.4 \
|
||||
# || true; \
|
||||
# done
|
||||
#
|
||||
RUN npm install -g \
|
||||
@modelcontextprotocol/server-github \
|
||||
@yoda.digital/gitlab-mcp-server \
|
||||
@aashari/mcp-server-atlassian-jira \
|
||||
@aashari/mcp-server-atlassian-confluence
|
||||
|
||||
# Patch transitive CVEs bundled inside MCP server node_modules:
|
||||
# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
|
||||
# CVE-2026-33671 — picomatch <4.0.4 (also covers npm bundled copy above)
|
||||
RUN for pkg_dir in \
|
||||
/usr/local/lib/node_modules/@modelcontextprotocol/server-github \
|
||||
/usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
|
||||
/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-jira \
|
||||
/usr/local/lib/node_modules/@aashari/mcp-server-atlassian-confluence; do \
|
||||
[ -d "$pkg_dir" ] && \
|
||||
cd "$pkg_dir" && \
|
||||
npm install --no-audit --no-fund \
|
||||
@modelcontextprotocol/sdk@1.25.2 \
|
||||
picomatch@4.0.4 \
|
||||
|| true; \
|
||||
done
|
||||
|
||||
# Workspace and Claude config dir — owned by the built-in node user (uid 1000).
|
||||
# Pre-creating ~/.claude ensures the named volume is initialised with the
|
||||
# correct ownership when first mounted (Docker copies image content into
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue