I have the following Dockerfile for my Next.js application:
<code>FROM node:alpine AS base
# 2) Install dependencies only when needed.
FROM base AS deps
# 3) Install packages with no cache
RUN apk add --no-cache libc6-compat
# 4) Install dependencies based on the preferred package manager
WORKDIR /app
COPY package.json ./
RUN npm update && npm install
# 5) Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# 6) Build the code
RUN npm run build
# 7) Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV production
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
COPY --from=builder /app/public ./public
# 8) Set the correct permission for prerender cache.
RUN mkdir .next
RUN chown nextjs:nodejs .next
# 9) Reduce the Image size
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# 10) Expose the port
USER nextjs
EXPOSE 3000
ENV PORT 3000
# 11) server.js is created by next build from the standalone output
CMD ["node", "server.js"]
</code>
<code>FROM node:alpine AS base
# 2) Install dependencies only when needed.
FROM base AS deps
# 3) Install packages with no cache
RUN apk add --no-cache libc6-compat
# 4) Install dependencies based on the preferred package manager
WORKDIR /app
COPY package.json ./
RUN npm update && npm install
# 5) Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# 6) Build the code
RUN npm run build
# 7) Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV production
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
COPY --from=builder /app/public ./public
# 8) Set the correct permission for prerender cache.
RUN mkdir .next
RUN chown nextjs:nodejs .next
# 9) Reduce the Image size
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# 10) Expose the port
USER nextjs
EXPOSE 3000
ENV PORT 3000
# 11) server.js is created by next build from the standalone output
CMD ["node", "server.js"]
</code>
FROM node:alpine AS base
# 2) Install dependencies only when needed.
FROM base AS deps
# 3) Install packages with no cache
RUN apk add --no-cache libc6-compat
# 4) Install dependencies based on the preferred package manager
WORKDIR /app
COPY package.json ./
RUN npm update && npm install
# 5) Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
# 6) Build the code
RUN npm run build
# 7) Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app
ENV NODE_ENV production
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
COPY --from=builder /app/public ./public
# 8) Set the correct permission for prerender cache.
RUN mkdir .next
RUN chown nextjs:nodejs .next
# 9) Reduce the Image size
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
# 10) Expose the port
USER nextjs
EXPOSE 3000
ENV PORT 3000
# 11) server.js is created by next build from the standalone output
CMD ["node", "server.js"]
Snyk gives me the following vulnerability:
- busybox/busybox Use After Free
- Medium vulnerability
- https://security.snyk.io/vuln/SNYK-ALPINE320-BUSYBOX-7233533
The fix is to “Upgrade Alpine:3.20 busybox to version 1.36.1-r29 or higher.”, but I am using the latest node:alphine, without specifying a version in my Dockerfile?
How can I fix this vulnerability?