From a7d7cec13b4b6a94def9644d63f73b29281c73fa Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:10:01 +0000 Subject: [PATCH 1/7] Update examples to reflect new Docker guidance: https://github.com/DEFRA/software-development-standards/pull/117 From 3020a8bfac0c146d359f80d93b5113e4600b3d32 Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Thu, 5 Mar 2026 08:57:09 +0000 Subject: [PATCH 2/7] Update examples to reflect new Docker guidance --- examples/Dockerfile.service | 13 ++++++++++--- examples/Dockerfile.web | 14 +++++++++----- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/examples/Dockerfile.service b/examples/Dockerfile.service index 13a5265..4ac1c54 100644 --- a/examples/Dockerfile.service +++ b/examples/Dockerfile.service @@ -1,7 +1,7 @@ # This assumes that the parent image has been built locally using production and development build configuration as defra-node # and defra-node-development tagged with a version. -ARG BASE_VERSION=2.7.0-node22.14.0 +ARG BASE_VERSION=2.10.3-node24.12.0 FROM defra-node:$BASE_VERSION AS base # Copy our package files so that our package install will do a clean install. This installs the exact versions of the packages @@ -39,7 +39,14 @@ CMD [ "npm", "run", "test" ] # Production stage exposes service port, copies in built app code and declares the Node app as the default command FROM base AS production +# Copy application artifacts and assign root ownership to prevent modification by other users. +COPY --from=development --chown=root:root /home/node/package*.json ./ +COPY --from=development --chown=root:root /home/node/app/ ./app/ + +# Install node modules and remove write permissions. +RUN npm ci --ignore-scripts --omit=dev && chmod -R a-w /home/node + # This is the command that is run for the production service. The parent image has an ENTRYPOINT that uses a lightweight -# init program "tini" that handles signals. As long as we don't override the ENTRYPOINT the "tini" routine will handle signals and -# orphaned processes +# init program "tini" that handles signals. As long as we don't override the ENTRYPOINT the "tini" routine will handle signals and +# orphaned processes CMD [ "node", "app/index" ] diff --git a/examples/Dockerfile.web b/examples/Dockerfile.web index 8664309..a6d3b5e 100644 --- a/examples/Dockerfile.web +++ b/examples/Dockerfile.web @@ -1,7 +1,7 @@ # This assumes that the parent image has been built locally using production and development build configuration as defra-node # and defra-node-development tagged with a version. -ARG BASE_VERSION=2.5.2-node22.14.0 +ARG BASE_VERSION=2.10.3-node24.12.0 FROM defra-node:$BASE_VERSION AS base # Set the port that is going to be exposed later on in the Dockerfile as well. @@ -53,10 +53,14 @@ WORKDIR /home/node EXPOSE ${PORT} # Copy in the files that we built using the tools in the development stage. The final production stage will have the built files, -# but none of the tools required to build those files. This reduces the attack surface, and also the size of the final production image -COPY --from=development /home/node/app/ ./app/ +# but none of the tools required to build those files. This reduces the attack surface, and also the size of the final production image +COPY --from=development --chown=root:root /home/node/package*.json ./ +COPY --from=development --chown=root:root /home/node/app/ ./app/ + +# Install node modules and remove write permissions. +RUN npm ci --ignore-scripts --omit=dev && chmod -R a-w /home/node # This is the command that is run for the production service. The parent image has an ENTRYPOINT that uses a lightweight -# init program "tini" that handles signals. As long as we don't override the ENTRYPOINT the "tini" routine will handle signals and -# orphaned processes +# init program "tini" that handles signals. As long as we don't override the ENTRYPOINT the "tini" routine will handle signals and +# orphaned processes CMD [ "node", "app/index" ] From c7b5c3d0fb164ec250f9e68d9eb26b4960dc4dbe Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Wed, 25 Mar 2026 17:38:32 +0000 Subject: [PATCH 3/7] Update base version --- examples/Dockerfile.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/Dockerfile.service b/examples/Dockerfile.service index 4ac1c54..4fcc607 100644 --- a/examples/Dockerfile.service +++ b/examples/Dockerfile.service @@ -1,7 +1,7 @@ # This assumes that the parent image has been built locally using production and development build configuration as defra-node # and defra-node-development tagged with a version. -ARG BASE_VERSION=2.10.3-node24.12.0 +ARG BASE_VERSION=3.0.4-node24.14.0 FROM defra-node:$BASE_VERSION AS base # Copy our package files so that our package install will do a clean install. This installs the exact versions of the packages From 4c912fa1e9a1cad7071113da8a3ed7822cbcac99 Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Wed, 25 Mar 2026 18:00:44 +0000 Subject: [PATCH 4/7] Update base version --- examples/Dockerfile.web | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/Dockerfile.web b/examples/Dockerfile.web index a6d3b5e..f2d29dd 100644 --- a/examples/Dockerfile.web +++ b/examples/Dockerfile.web @@ -1,7 +1,7 @@ # This assumes that the parent image has been built locally using production and development build configuration as defra-node # and defra-node-development tagged with a version. -ARG BASE_VERSION=2.10.3-node24.12.0 +ARG BASE_VERSION=3.0.4-node24.14.0 FROM defra-node:$BASE_VERSION AS base # Set the port that is going to be exposed later on in the Dockerfile as well. From d38deaf18ef52692fa9e7e6d8534a0dc0efa997f Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Wed, 25 Mar 2026 18:17:05 +0000 Subject: [PATCH 5/7] Omit package install from base stage --- examples/Dockerfile.service | 5 ----- examples/Dockerfile.web | 6 ------ 2 files changed, 11 deletions(-) diff --git a/examples/Dockerfile.service b/examples/Dockerfile.service index 4fcc607..bc03631 100644 --- a/examples/Dockerfile.service +++ b/examples/Dockerfile.service @@ -4,11 +4,6 @@ ARG BASE_VERSION=3.0.4-node24.14.0 FROM defra-node:$BASE_VERSION AS base -# Copy our package files so that our package install will do a clean install. This installs the exact versions of the packages -# listed in package-lock.json, and does not update either the package-lock.json or the package.json file. -# Our production dependencies are now installed. -COPY --chown=node:node package*.json ./ -RUN npm ci --ignore-scripts # Development stage installs devDependencies, builds app from source and declares a file watcher as the default command. # We name this stage so we can refer to it in later stages diff --git a/examples/Dockerfile.web b/examples/Dockerfile.web index f2d29dd..b7cd987 100644 --- a/examples/Dockerfile.web +++ b/examples/Dockerfile.web @@ -8,12 +8,6 @@ FROM defra-node:$BASE_VERSION AS base ARG PORT=3000 ENV PORT=${PORT} -# Copy our package files so that our package install will do a clean install. This installs the exact versions of the packages -# listed in package-lock.json, and does not update either the package-lock.json or the package.json file. -# Our production dependencies are now installed. -COPY --chown=node:node package*.json ./ -RUN npm ci --ignore-scripts - # Development stage installs devDependencies, builds app from source and declares a file watcher as the default command. # We name this stage so we can refer to it in later stages FROM defra-node-development:$BASE_VERSION AS development From 8df58705f3520eb6e646e090840eb8485e51d581 Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:27:02 +0000 Subject: [PATCH 6/7] Update version number --- JOB.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/JOB.env b/JOB.env index f297853..6d8db91 100644 --- a/JOB.env +++ b/JOB.env @@ -1,2 +1,2 @@ -DEFRA_VERSION=3.0.4 +DEFRA_VERSION=3.0.5 IMAGE_NAME=node From 3160e2889802904c17ae2b3309654f7d2e2ae8ec Mon Sep 17 00:00:00 2001 From: pwadmore-ea <8915039+pwadmore-ea@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:29:23 +0000 Subject: [PATCH 7/7] Update version number --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4c7c788..01afbff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Set default values for build arguments -ARG DEFRA_VERSION=3.0.4 +ARG DEFRA_VERSION=3.0.5 ARG BASE_VERSION=24.14.0-alpine3.23 FROM node:$BASE_VERSION AS production