build: limit esbuild, glob, docker base version to avoid cve (#30848)

2026-01-12 15:33:20 +08:00 · 2026-01-12 15:33:20 +08:00 · 00698e41b7
parent df938a4543
commit 00698e41b7
3 changed files with 187 additions and 445 deletions
--- a/web/Dockerfile
+++ b/web/Dockerfile
@ -1,5 +1,5 @@
 # base image
-FROM node:22-alpine3.21 AS base
+FROM node:22.21.1-alpine3.23 AS base
 LABEL maintainer="takatost@gmail.com"

 # if you located in China, you can use aliyun mirror to speed up
--- a/web/package.json
+++ b/web/package.json
@ -236,7 +236,8 @@
      "brace-expansion@<2.0.2": "2.0.2",
      "devalue@<5.3.2": "5.3.2",
      "es-iterator-helpers": "npm:@nolyfill/es-iterator-helpers@^1",
-      "esbuild@<0.25.0": "0.25.0",
+      "esbuild@<0.27.2": "0.27.2",
+      "glob@>=10.2.0,<10.5.0": "11.1.0",
      "hasown": "npm:@nolyfill/hasown@^1",
      "is-arguments": "npm:@nolyfill/is-arguments@^1",
      "is-core-module": "npm:@nolyfill/is-core-module@^1",
@ -278,7 +279,6 @@
    "@types/react-dom": "~19.2.3",
    "brace-expansion": "~2.0",
    "canvas": "^3.2.0",
-    "esbuild": "~0.25.0",
    "pbkdf2": "~3.1.3",
    "prismjs": "~1.30",
    "string-width": "~4.2.3"
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml