Skip to content

MCP-449 Clean up dependencies from the Docker image#373

Merged
nquinquenel merged 4 commits intomasterfrom
task/nq/cleanup-dependencies-for-cve
Apr 28, 2026
Merged

MCP-449 Clean up dependencies from the Docker image#373
nquinquenel merged 4 commits intomasterfrom
task/nq/cleanup-dependencies-for-cve

Conversation

@nquinquenel
Copy link
Copy Markdown
Member

@nquinquenel nquinquenel commented Apr 28, 2026

No description provided.

@hashicorp-vault-sonar-prod hashicorp-vault-sonar-prod Bot changed the title Clean up dependencies from the Docker image MCP-449 Clean up dependencies from the Docker image Apr 28, 2026
@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented Apr 28, 2026
edited by atlassian Bot
Loading

MCP-449

@nquinquenel nquinquenel marked this pull request as ready for review April 28, 2026 11:13
@sonar-review-alpha
Copy link
Copy Markdown

sonar-review-alpha Bot commented Apr 28, 2026
edited
Loading

Summary

This PR removes unused build dependencies from the production Docker image and test containers to reduce attack surface and image size. Specifically:

  • Removed git from the Dockerfile and test container setup (previously noted as required by proxied servers, but no longer needed)
  • Removed npm (bundled with nodejs, making it redundant; the image only needs the nodejs runtime)
  • Kept nodejs as a required runtime dependency

All references in documentation and test setup are updated consistently to reflect this cleanup.

What reviewers should know

Where to focus:

  • Start with the Dockerfile changes—these are the core of the PR
  • Check test files to confirm the package removals don't break test infrastructure
  • Verify the README documentation now accurately describes remaining dependencies

Key considerations for reviewers:

  • Confirm that git and npm are genuinely unused (search code for any invocations if uncertain)
  • The branch name suggests this relates to a CVE—verify that removing these packages addresses the security concern without breaking functionality
  • Image size/layer changes are a side benefit but not the primary goal here
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 28, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

🗣️ Give feedback

@nquinquenel nquinquenel merged commit b84c2d3 into master Apr 28, 2026
14 checks passed
@nquinquenel nquinquenel deleted the task/nq/cleanup-dependencies-for-cve branch April 28, 2026 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

@damien-urruty-sonarsource damien-urruty-sonarsource damien-urruty-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nquinquenel @damien-urruty-sonarsource