Change Dockerfile to Chainguard Wolfi-Base to Reduce Vulnerabilities

[zackchadwick]

Description

This is a change to the Dockerfile that moves away from the node provided image to wolfi-base by Chainguard.

I built the images locally and was able to run them with a local postgres and minio with no issues accessing the app. Everything appeared to be working. My only concern is around Playwright- the Playwright install with dependencies failed because it falls back to Ubuntu for deps. I did install the Playwright package that's available for the Wolfi image so dependencies should be taken care of, but you may want to test this specifically. I'm not sure if there's anything I could test in browser locally to see if it's performing as expected.

Linked Issues

Additional context

For reference, here are the vulnerabilities counts from Grype:

Web w/ Node
105 Total (25 Unknown)

Critical	High	Medium	Low	Negligible
1	4	22	3	50

Web w/ Wolfi
12 Total (10 Unknown)

Critical	High	Medium	Low	Negligible
0	1	1	0	0

Backend w/ Node
187 Total (31 Unknown)

Critical	High	Medium	Low	Negligible
1	14	40	7	94

Backend w/ Wolfi
0 Total

Critical	High	Medium	Low	Negligible
0	0	0	0	0

[ndom91]

@zackchadwick thanks for the contribution!

So first of all, I'm having trouble getting it to build. It's failing on the last step of the BUILDER CONTAINER section, i.e. the pnpm run build and deploy step.

The web part specifically fails to run the build npm script out of that package.json (pnpm clean && vite build && pnpm copy:partytown) because it looks like it can't find vite 🤔

Anyway, I'll keep debugging that a bit. Changing the build script to ... pnpm dlx vite build && .. also doesn't help which doesn't make sense. That should download and execute vite if it can't find it in the worst case.

To your question about testing playwrihgt support. Basically when you add a bookmark, it'll add a job to the backend queue to trigger playwright to visit the URL and take a screenshot of the page. So after yuo've added a bookmark, if the image is a screenshot of your URL then we should be good.

Also since its in a queue, it initially uses whatever image it can find of the page (og:image, etc.) and then uses the screenshot (if it gets taken successfully), so long story short, you may need to reload the page or navigate away and back to the /bookmarks route to have it load the newly captured and saved bookmark screenshot 🙏

[zackchadwick]

That's interesting--

can confirm I'm seeing the same thing after pulling the latest from main. I'll see if I can figure out why.

[ndom91]

@zackchadwick Awesome, thanks

Just wanted to mention, maybe its an issue with the pnpm workspace (monorepo) setup?

vite is installed as a dev dependency in the root package.json, which the pnpm install cmd on line 38 of the Dockerfile should install, but maybe theres an issue 🤔

[ndom91]

Also just wanted to share this Dockerfile explorer I've recently come across, super helpful for viewing layer details and what's going on in each one

https://depot.dev/dockerfile-explorer