Remove tornado key + remove nodejs once copied into playwright + remo…

…ve old semver module (#402)
onyx-dot-app · Sep 6, 2023 · 630386c · 630386c · vercel · Sep 6, 2023
1 parent b06e53a
commit 630386c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -29,12 +29,19 @@ RUN apt-get update
 RUN apt-get install nodejs -y
 # replace nodejs packaged with playwright (18.17.0) with the one installed above
 RUN cp /usr/bin/node /usr/local/lib/python3.11/site-packages/playwright/driver/node
+# remove nodejs (except for the binary we moved into playwright)
+RUN apt-get remove -y nodejs
 
 # Cleanup for CVEs and size reduction
 RUN apt-get remove -y linux-libc-dev \
     && apt-get autoremove -y \
     && rm -rf /var/lib/apt/lists/*
 
+# Remove tornado test key to placate vulnerability scanners
+# More details can be found here:
+# https://github.com/tornadoweb/tornado/issues/3107
+RUN rm /usr/local/lib/python3.11/site-packages/tornado/test/test.key
+
 WORKDIR /app
 COPY ./danswer /app/danswer
 COPY ./alembic /app/alembic

diff --git a/web/Dockerfile b/web/Dockerfile
@@ -39,6 +39,11 @@ RUN npm run build
 FROM base AS runner
 WORKDIR /app
 
+# Remove global node modules, since they are not needed by the actual app
+# (all dependencies are copied over into the `/app` dir itself). These
+# global modules may be outdated and trigger security scans.
+RUN rm -rf /usr/local/lib/node_modules
+
 # Not needed, set by compose 
 # ENV NODE_ENV production