fix: update npm to resolve Trivy CVEs in bundled dependencies

boite · claude · boite · commit 9b582215393b · 2026-03-25T11:30:30.000Z
Upgrades npm to latest after Node.js install to patch vulnerable
transitive dependencies (cross-spawn, glob, minimatch, tar).
Chose to update npm rather than upgrade to Node.js 22 to avoid
potential breaking changes for downstream consumers.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Dockerfile.php7 b/Dockerfile.php7
@@ -64,6 +64,8 @@ RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+RUN npm install -g npm@latest
+
 RUN docker-php-ext-install bz2 \
   && install-php-extensions apcu gd gmp intl opcache pdo_mysql pdo_pgsql sockets zip imap mailparse soap mysqli bcmath \
   && apt-get autoremove \
diff --git a/Dockerfile.php8 b/Dockerfile.php8
@@ -64,6 +64,8 @@ RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
+RUN npm install -g npm@latest
+
 RUN docker-php-ext-install bz2 \
   && install-php-extensions apcu gd gmp intl opcache pdo_mysql pdo_pgsql sockets zip imap mailparse soap mysqli bcmath \
   && apt-get autoremove \
