From 13a3ea27fb1c22d3f657b07e3f9c5c5afc2f0a0b Mon Sep 17 00:00:00 2001
From: pratapalakshmi <137189067+pratapalakshmi@users.noreply.github.com>
Date: Tue, 26 May 2026 14:25:01 +0530
Subject: [PATCH] fix: security vulnerabilities for plane docker images (#9140)

---
 .trivyignore                   | 10 ++++++++++
 apps/admin/Dockerfile.admin    |  2 ++
 apps/api/requirements/base.txt |  2 ++
 apps/live/Dockerfile.live      |  9 +++++++++
 apps/proxy/Dockerfile.ce       | 13 +++++++++----
 apps/space/Dockerfile.space    | 12 ++++++++++++
 apps/web/Dockerfile.web        |  4 +++-
 package.json                   |  3 ++-
 pnpm-lock.yaml                 |  9 +++++----
 9 files changed, 54 insertions(+), 10 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000000..762f7d81dc
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,10 @@
+# Trivy ignore file
+# Document the rationale for each suppressed finding.
+
+# CVE-2026-30242: SSRF in Plane webhook URL serializer.
+# False positive: Trivy matches our backend's distribution name "Plane" +
+# version 0.24.0 against the makeplane/plane CVE. The "fixed in 1.2.3" refers
+# to the upstream public release version scheme, not this distribution's
+# pyproject.toml version - the SSRF mitigation has been in place for the
+# applicable webhook validation code path.
+CVE-2026-30242
diff --git a/apps/admin/Dockerfile.admin b/apps/admin/Dockerfile.admin
index 3ee1d73bf9..c3d4ac28de 100644
--- a/apps/admin/Dockerfile.admin
+++ b/apps/admin/Dockerfile.admin
@@ -77,6 +77,8 @@ RUN pnpm turbo run build --filter=admin
 
 FROM nginx:1.29-alpine AS production
 
+RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*
+
 COPY apps/admin/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY --from=installer /app/apps/admin/build/client /usr/share/nginx/html/god-mode
 
diff --git a/apps/api/requirements/base.txt b/apps/api/requirements/base.txt
index a691e36efe..a34bf6de11 100644
--- a/apps/api/requirements/base.txt
+++ b/apps/api/requirements/base.txt
@@ -56,6 +56,8 @@ cryptography==46.0.7
 lxml==6.1.0
 # s3
 boto3==1.34.96
+# http client (pinned to address CVE-2026-44431 and CVE-2026-44432)
+urllib3>=2.7.0
 # password validator
 zxcvbn==4.4.28
 # timezone
diff --git a/apps/live/Dockerfile.live b/apps/live/Dockerfile.live
index 864bd0d17e..bb472878ad 100644
--- a/apps/live/Dockerfile.live
+++ b/apps/live/Dockerfile.live
@@ -54,12 +54,21 @@ RUN pnpm turbo run build --filter=live
 FROM base AS runner
 WORKDIR /app
 
+# Remove go from Alpine APK database; not needed at runtime and carries stdlib CVEs
+RUN apk del go 2>/dev/null || true
+
+# Remove vulnerable picomatch bundled inside npm (CVE-2026-33671); npm is not used at runtime
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/picomatch
+
 COPY --from=installer /app/packages ./packages
 COPY --from=installer /app/apps/live/dist ./apps/live/dist
 COPY --from=installer /app/apps/live/node_modules ./apps/live/node_modules
 COPY --from=installer /app/node_modules ./node_modules
 COPY --from=installer /app/apps/live/package.json ./apps/live/package.json
 
+# esbuild and tsgolint are build-only Go binaries; remove from runtime image to eliminate stdlib CVEs
+RUN find /app/node_modules \( -name 'esbuild' -o -name 'tsgolint' \) -type f -delete 2>/dev/null || true
+
 ENV TURBO_TELEMETRY_DISABLED=1
 
 EXPOSE 3000
diff --git a/apps/proxy/Dockerfile.ce b/apps/proxy/Dockerfile.ce
index 2c0f3ead59..2474b52db9 100644
--- a/apps/proxy/Dockerfile.ce
+++ b/apps/proxy/Dockerfile.ce
@@ -1,13 +1,18 @@
-FROM caddy:2.10.0-builder-alpine AS caddy-builder
+FROM caddy:2.11.3-builder-alpine AS caddy-builder
 
 RUN xcaddy build \
         --with github.com/caddy-dns/cloudflare@v0.2.1 \
         --with github.com/caddy-dns/digitalocean@04bde2867106aa1b44c2f9da41a285fa02e629c5 \
-        --with github.com/mholt/caddy-l4@4d3c80e89c5f80438a3e048a410d5543ff5fb9f4
+        --with github.com/mholt/caddy-l4@6faae83b167fda94e62b686be5cbeb9b3f8fe002 \
+        --with github.com/go-jose/go-jose/v3@v3.0.5 \
+        --with github.com/go-jose/go-jose/v4@v4.1.4 \
+        --with google.golang.org/grpc@v1.80.0 \
+        --with go.opentelemetry.io/otel@v1.43.0 \
+        --with go.opentelemetry.io/otel/sdk@v1.43.0
 
-FROM caddy:2.10.0-alpine
+FROM caddy:2.11.3-alpine
 
-RUN apk add --no-cache nss-tools bash curl
+RUN apk update && apk upgrade --no-cache && apk add --no-cache nss-tools bash curl
 
 COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 
diff --git a/apps/space/Dockerfile.space b/apps/space/Dockerfile.space
index 39a05176ae..1e327b4669 100644
--- a/apps/space/Dockerfile.space
+++ b/apps/space/Dockerfile.space
@@ -78,10 +78,22 @@ RUN pnpm turbo run build --filter=space
 
 FROM base AS runner
 
+ENV NODE_ENV=production
+
+# Remove go from Alpine APK database; not needed at runtime and carries stdlib CVEs
+RUN apk del go 2>/dev/null || true
+
+# Remove vulnerable picomatch bundled inside npm (CVE-2026-33671)
+# npx only needs picomatch when installing packages, not when running a locally-installed binary
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/picomatch
+
 COPY --from=installer /app/apps/space/build ./apps/space/build
 COPY --from=installer /app/apps/space/node_modules ./apps/space/node_modules
 COPY --from=installer /app/node_modules ./node_modules
 
+# esbuild and tsgolint are build-only Go binaries; remove from runtime image to eliminate stdlib CVEs
+RUN find /app/node_modules \( -name 'esbuild' -o -name 'tsgolint' \) -type f -delete 2>/dev/null || true
+
 WORKDIR /app/apps/space
 
 EXPOSE 3000
diff --git a/apps/web/Dockerfile.web b/apps/web/Dockerfile.web
index 8da6b1e834..baea974371 100644
--- a/apps/web/Dockerfile.web
+++ b/apps/web/Dockerfile.web
@@ -75,7 +75,9 @@ RUN pnpm turbo run build --filter=web
 # *****************************************************************************
 # STAGE 3: Serve with nginx
 # *****************************************************************************
-FROM nginx:1.27-alpine AS production
+FROM nginx:1.29-alpine AS production
+
+RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*
 
 COPY apps/web/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY --from=installer /app/apps/web/build/client /usr/share/nginx/html
diff --git a/package.json b/package.json
index ed9358440a..3e7630846b 100644
--- a/package.json
+++ b/package.json
@@ -76,7 +76,8 @@
       "postcss": "8.5.10",
       "axios": "catalog:",
       "follow-redirects": "1.16.0",
-      "uuid": "catalog:"
+      "uuid": "catalog:",
+      "fast-uri@<3.1.2": ">=3.1.2"
     },
     "onlyBuiltDependencies": [
       "@parcel/watcher",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 55ca59119c..11741986c8 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -129,6 +129,7 @@ overrides:
   axios: 1.15.2
   follow-redirects: 1.16.0
   uuid: 14.0.0
+  fast-uri@<3.1.2: '>=3.1.2'
 
 importers:
 
@@ -5646,8 +5647,8 @@ packages:
   fast-json-stable-stringify@2.1.0:
     resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==}
 
-  fast-uri@3.0.6:
-    resolution: {integrity: sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==}
+  fast-uri@3.1.2:
+    resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==}
 
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
@@ -11933,7 +11934,7 @@ snapshots:
   ajv@8.18.0:
     dependencies:
       fast-deep-equal: 3.1.3
-      fast-uri: 3.0.6
+      fast-uri: 3.1.2
       json-schema-traverse: 1.0.0
       require-from-string: 2.0.2
 
@@ -12947,7 +12948,7 @@ snapshots:
 
   fast-json-stable-stringify@2.1.0: {}
 
-  fast-uri@3.0.6: {}
+  fast-uri@3.1.2: {}
 
   fdir@6.5.0(picomatch@2.3.2):
     optionalDependencies: