playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(dockerfile): bump MCP SDK 1.26.0, patch brace-expansion 5.0.5 (GHSA-345p-7cg4-v4c7, GHSA-f886-m6hf-6m8v)
Some checks failed
Build images / check-docker (push) Successful in 1s
Details
Build images / scan (push) Failing after 2m29s
Details
Build images / build-and-push (push) Has been skipped
Details

Browse source 
Add comprehensive picomatch sweep for nested node_modules; use direct
tarball-copy strategy to patch brace-expansion inside npm's own bundled
node_modules where npm-install --prefix cannot reach.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
docker-claude 2026-04-20 23:23:27 +02:00
parent 71494a59b3
commit e8d134f5a9
1 changed files with 23 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

24
claude/Dockerfile
View file

@ -48,7 +48,9 @@ RUN npm install -g \
# Patch transitive CVEs bundled inside MCP server node_modules:
# CVE-2025-66414, CVE-2026-0621 — @modelcontextprotocol/sdk <1.25.2
# GHSA-345p-7cg4-v4c7 — @modelcontextprotocol/sdk <1.26.0
# CVE-2026-33671 — picomatch <4.0.4 (also covers npm bundled copy above)
# GHSA-f886-m6hf-6m8v — brace-expansion <5.0.5
RUN for pkg_dir in \
/usr/local/lib/node_modules/@modelcontextprotocol/server-github \
/usr/local/lib/node_modules/@yoda.digital/gitlab-mcp-server \
@ -57,10 +59,28 @@ RUN for pkg_dir in \
[ -d "$pkg_dir" ] && \
cd "$pkg_dir" && \
npm install --no-audit --no-fund \
@modelcontextprotocol/sdk@1.25.2 \
@modelcontextprotocol/sdk@1.26.0 \
picomatch@4.0.4 \
brace-expansion@5.0.5 \
|| true; \
done
done \
&& find /usr/local/lib/node_modules -name "picomatch" -type d | while read dir; do \
ver=$(node -p "require('$dir/package.json').version" 2>/dev/null); \
[ "$ver" = "4.0.3" ] || continue; \
prefix=$(dirname "$(dirname "$dir")"); \
npm install --prefix "$prefix" picomatch@4.0.4 \
--no-save --no-audit --no-fund 2>/dev/null || true; \
done \
&& cd /tmp \
&& npm pack brace-expansion@5.0.5 --no-audit 2>/dev/null \
&& tar xzf brace-expansion-5.0.5.tgz \
&& find /usr/local/lib/node_modules -name "package.json" -path "*/brace-expansion/package.json" \
| xargs grep -l '"version": "5.0.4"' 2>/dev/null \
| while read pj; do \
echo "Patching brace-expansion at $(dirname "$pj")"; \
cp -r /tmp/package/. "$(dirname "$pj")/"; \
done \
&& rm -rf /tmp/brace-expansion-5.0.5.tgz /tmp/package
# Remove any npm auth credentials written during install.
# npm automatically picks up GITHUB_TOKEN and NPM_TOKEN from the build environment