From 6e6fd76459072011d98cae24ef427898ae61c3a2 Mon Sep 17 00:00:00 2001
From: Oleks <oleks.kuksenko@gmail.com>
Date: Tue, 2 Jun 2026 04:59:20 +0300
Subject: [PATCH] chore(docker): satisfy hadolint on the hardened Dockerfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- DL3008: explicit `hadolint ignore` on the two apt-get installs — bookworm-slim
  tracks current security-patched versions; pinning is brittle (reference image
  is also unpinned).
- DL3059: fold `npm run build` + `npm prune --omit=dev` into one RUN layer.
---
 Dockerfile | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 98072cb..65f70e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,6 +2,8 @@
 
 FROM node:22-bookworm-slim AS deps
 WORKDIR /app
+# bookworm-slim: track the distro's current security-patched versions, don't pin.
+# hadolint ignore=DL3008
 RUN apt-get update \
  && apt-get install -y --no-install-recommends python3 make g++ ca-certificates \
  && rm -rf /var/lib/apt/lists/*
@@ -14,21 +16,24 @@ FROM deps AS build
 WORKDIR /app
 COPY app/ ./
 RUN rm -f data.db data.db-shm data.db-wal && rm -rf uploads
-RUN npm run build
 # `astro` is a runtime dependency (required by the @astrojs/node standalone
-# SSR server), so this prune only drops the two devDependencies
+# SSR server), so the prune only drops the two devDependencies
 # (@astrojs/check, @types/node). Astro's transitive build tooling
 # (vite, esbuild, @astrojs/compiler, rollup plugins) stays in node_modules
 # because Astro itself declares them as runtime deps. Slimming those out
 # would require verifying the dist/server bundle never imports `astro/*` at
 # boot; not attempted here. Image-size tradeoff is accepted for now.
-RUN npm prune --omit=dev
+# (build + prune in one layer; separate RUNs would trip hadolint DL3059.)
+RUN npm run build \
+ && npm prune --omit=dev
 
 FROM node:22-bookworm-slim AS runtime
 WORKDIR /app
 ENV NODE_ENV=production \
     HOST=0.0.0.0 \
     PORT=4321
+# bookworm-slim: track the distro's current security-patched versions, don't pin.
+# hadolint ignore=DL3008
 RUN apt-get update \
  && apt-get install -y --no-install-recommends ca-certificates tini \
  && rm -rf /var/lib/apt/lists/* \