Revert "build(docker): Switch to Docker Hardened Images (DHI)"#213
Revert "build(docker): Switch to Docker Hardened Images (DHI)"#213
Conversation
This reverts commit 840b7f7.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
|
|
||
| WORKDIR /build | ||
|
|
||
| COPY package.json yarn.lock ./ |
There was a problem hiding this comment.
Missing WORKDIR causes massive image bloat via symlink
Medium Severity
The builder stage has no WORKDIR, so the default / is used. The tsc build outputs to ./lib, which resolves to /lib — a symlink to /usr/lib on Debian bookworm (usrmerge). Docker's COPY --from=builder lib lib follows symlinks, so it copies the entire /usr/lib directory (system libraries + build output) into the runtime image. The removed DHI version had WORKDIR /build to avoid this. Adding a WORKDIR to the builder stage would prevent copying hundreds of megabytes of unnecessary system libraries.
Additional Locations (1)
2 participants
Reverts #212
as this breaks acceptance tests:
https://github.com/getsentry/sentry/actions/runs/22585881666/job/65430559555