fix: security vulnerabilities for plane docker images (#9140)

.trivyignore

@@ -0,0 +1,10 @@
+# Trivy ignore file
+# Document the rationale for each suppressed finding.
+
+# CVE-2026-30242: SSRF in Plane webhook URL serializer.
+# False positive: Trivy matches our backend's distribution name "Plane" +
+# version 0.24.0 against the makeplane/plane CVE. The "fixed in 1.2.3" refers
+# to the upstream public release version scheme, not this distribution's
+# pyproject.toml version - the SSRF mitigation has been in place for the
+# applicable webhook validation code path.
+CVE-2026-30242

apps/admin/Dockerfile.admin

@@ -77,6 +77,8 @@ RUN pnpm turbo run build --filter=admin
 
 FROM nginx:1.29-alpine AS production
 
+RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*
+
 COPY apps/admin/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY --from=installer /app/apps/admin/build/client /usr/share/nginx/html/god-mode
 

apps/api/requirements/base.txt

@@ -56,6 +56,8 @@ cryptography==46.0.7
 lxml==6.1.0
 # s3
 boto3==1.34.96
+# http client (pinned to address CVE-2026-44431 and CVE-2026-44432)
+urllib3>=2.7.0
 # password validator
 zxcvbn==4.4.28
 # timezone

apps/live/Dockerfile.live

@@ -54,12 +54,21 @@ RUN pnpm turbo run build --filter=live
 FROM base AS runner
 WORKDIR /app
 
+# Remove go from Alpine APK database; not needed at runtime and carries stdlib CVEs
+RUN apk del go 2>/dev/null || true
+
+# Remove vulnerable picomatch bundled inside npm (CVE-2026-33671); npm is not used at runtime
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/picomatch
+
 COPY --from=installer /app/packages ./packages
 COPY --from=installer /app/apps/live/dist ./apps/live/dist
 COPY --from=installer /app/apps/live/node_modules ./apps/live/node_modules
 COPY --from=installer /app/node_modules ./node_modules
 COPY --from=installer /app/apps/live/package.json ./apps/live/package.json
 
+# esbuild and tsgolint are build-only Go binaries; remove from runtime image to eliminate stdlib CVEs
+RUN find /app/node_modules \( -name 'esbuild' -o -name 'tsgolint' \) -type f -delete 2>/dev/null || true
+
 ENV TURBO_TELEMETRY_DISABLED=1
 
 EXPOSE 3000

apps/proxy/Dockerfile.ce

@@ -1,13 +1,18 @@
-FROM caddy:2.10.0-builder-alpine AS caddy-builder
+FROM caddy:2.11.3-builder-alpine AS caddy-builder
 
 RUN xcaddy build \
         --with github.com/caddy-dns/cloudflare@v0.2.1 \
         --with github.com/caddy-dns/digitalocean@04bde2867106aa1b44c2f9da41a285fa02e629c5 \
-        --with github.com/mholt/caddy-l4@4d3c80e89c5f80438a3e048a410d5543ff5fb9f4
+        --with github.com/mholt/caddy-l4@6faae83b167fda94e62b686be5cbeb9b3f8fe002 \
+        --with github.com/go-jose/go-jose/v3@v3.0.5 \
+        --with github.com/go-jose/go-jose/v4@v4.1.4 \
+        --with google.golang.org/grpc@v1.80.0 \
+        --with go.opentelemetry.io/otel@v1.43.0 \
+        --with go.opentelemetry.io/otel/sdk@v1.43.0
 
-FROM caddy:2.10.0-alpine
+FROM caddy:2.11.3-alpine
 
-RUN apk add --no-cache nss-tools bash curl
+RUN apk update && apk upgrade --no-cache && apk add --no-cache nss-tools bash curl
 
 COPY --from=caddy-builder /usr/bin/caddy /usr/bin/caddy
 

apps/space/Dockerfile.space

@@ -78,10 +78,22 @@ RUN pnpm turbo run build --filter=space
 
 FROM base AS runner
 
+ENV NODE_ENV=production
+
+# Remove go from Alpine APK database; not needed at runtime and carries stdlib CVEs
+RUN apk del go 2>/dev/null || true
+
+# Remove vulnerable picomatch bundled inside npm (CVE-2026-33671)
+# npx only needs picomatch when installing packages, not when running a locally-installed binary
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/picomatch
+
 COPY --from=installer /app/apps/space/build ./apps/space/build
 COPY --from=installer /app/apps/space/node_modules ./apps/space/node_modules
 COPY --from=installer /app/node_modules ./node_modules
 
+# esbuild and tsgolint are build-only Go binaries; remove from runtime image to eliminate stdlib CVEs
+RUN find /app/node_modules \( -name 'esbuild' -o -name 'tsgolint' \) -type f -delete 2>/dev/null || true
+
 WORKDIR /app/apps/space
 
 EXPOSE 3000

apps/web/Dockerfile.web

@@ -75,7 +75,9 @@ RUN pnpm turbo run build --filter=web
 # *****************************************************************************
 # STAGE 3: Serve with nginx
 # *****************************************************************************
-FROM nginx:1.27-alpine AS production
+FROM nginx:1.29-alpine AS production
+
+RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*
 
 COPY apps/web/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY --from=installer /app/apps/web/build/client /usr/share/nginx/html

package.json

@@ -76,7 +76,8 @@
       "postcss": "8.5.10",
       "axios": "catalog:",
       "follow-redirects": "1.16.0",
-      "uuid": "catalog:"
+      "uuid": "catalog:",
+      "fast-uri@<3.1.2": ">=3.1.2"
     },
     "onlyBuiltDependencies": [
       "@parcel/watcher",

pnpm-lock.yaml

@@ -129,6 +129,7 @@ overrides:
   axios: 1.15.2
   follow-redirects: 1.16.0
   uuid: 14.0.0
+  fast-uri@<3.1.2: '>=3.1.2'
 
 importers:
 
@@ -5646,8 +5647,8 @@ packages:
   fast-json-stable-stringify@2.1.0:
     resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==}
 
-  fast-uri@3.0.6:
+  fast-uri@3.1.2:
-    resolution: {integrity: sha512-Atfo14OibSv5wAp4VWNsFYE1AchQRTv9cBGWET4pZWHzYshFSS9NQI6I57rdKn9croWVMbYFbLhJ+yJvmZIIHw==}
+    resolution: {integrity: sha512-rVjf7ArG3LTk+FS6Yw81V1DLuZl1bRbNrev6Tmd/9RaroeeRRJhAt7jg/6YFxbvAQXUCavSoZhPPj6oOx+5KjQ==}
 
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
@@ -11933,7 +11934,7 @@ snapshots:
   ajv@8.18.0:
     dependencies:
       fast-deep-equal: 3.1.3
-      fast-uri: 3.0.6
+      fast-uri: 3.1.2
       json-schema-traverse: 1.0.0
       require-from-string: 2.0.2
 
@@ -12947,7 +12948,7 @@ snapshots:
 
   fast-json-stable-stringify@2.1.0: {}
 
-  fast-uri@3.0.6: {}
+  fast-uri@3.1.2: {}
 
   fdir@6.5.0(picomatch@2.3.2):
     optionalDependencies: