chore (deps): upgrade Sentry in the frontend to resolve a security alert with minimatch (baserow#4887)

* upgrade sentry

* Add changelog entry

* remove OS-level npm from frontend image which is not needed in prod and contains CVEs

* Fix dc-prod command

* Make sure ci and prod images download the latest packages instead of using the cache

* Extract Python base image into a reusable ARG in backend Dockerfile

Define PYTHON_BASE_IMAGE once at the top and reference it in all four
FROM lines (builder-prod-base, ci, dev, local) to avoid repeating the
version string.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: silvestrid

backend/Dockerfile

@@ -1,4 +1,5 @@
 # syntax=docker/dockerfile:1.4
+ARG PYTHON_BASE_IMAGE="python:3.14.3-slim-trixie"
 ARG UID="9999"
 ARG GID="9999"
 
@@ -28,7 +29,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # =============================================================================
 # Production base builder stage: builds runtime dependencies only
 # =============================================================================
-FROM python:3.14.3-slim-trixie AS builder-prod-base
+FROM ${PYTHON_BASE_IMAGE} AS builder-prod-base
 ARG UID
 ARG GID
 
@@ -174,17 +175,16 @@ RUN --mount=type=cache,target=$UV_CACHE_DIR,sharing=locked,uid=$UID,gid=$GID \
 # =============================================================================
 # CI Target - lightweight image for pytest and E2E tests
 # =============================================================================
-FROM python:3.14.3-slim-trixie AS ci
+FROM ${PYTHON_BASE_IMAGE} AS ci
 ARG UID
 ARG GID
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update && \
+RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends \
     gettext \
-    xmlsec1
+    xmlsec1 \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 ENV DOCKER_USER=baserow_docker_user \
     BASEROW_IMAGE_TYPE="backend" \
@@ -222,7 +222,7 @@ ENTRYPOINT ["/usr/bin/tini", "--", "/bin/bash", "/baserow/backend/docker/docker-
 # Only works mounting the source code as a bind mount. See docker-compose.dev.yml for usage.
 # =============================================================================
 
-FROM python:3.14.3-slim-trixie AS dev
+FROM ${PYTHON_BASE_IMAGE} AS dev
 ARG UID="9999"
 ARG GID="9999"
 
@@ -321,10 +321,12 @@ CMD ["django-dev"]
 # =============================================================================
 # Production target
 # =============================================================================
-FROM python:3.14.3-slim-trixie AS local 
+FROM ${PYTHON_BASE_IMAGE} AS local
 ARG UID
 ARG GID
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 ENV POSTGRES_VERSION=15 \
     DOCKER_USER=baserow_docker_user \
     BASEROW_IMAGE_TYPE="backend" \
@@ -334,10 +336,8 @@ ENV POSTGRES_VERSION=15 \
     PYTHONPATH="/baserow/backend/src:/baserow/premium/backend/src:/baserow/enterprise/backend/src" \
     DJANGO_SETTINGS_MODULE='baserow.config.settings.base'
 
-# Runtime dependencies only - this layer is always cached
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update && \
+# Runtime dependencies only
+RUN apt-get update && \
     apt-get upgrade -y && \
     apt-get install -y --no-install-recommends curl ca-certificates gnupg \
     && curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --batch --dearmor -o /usr/share/keyrings/pgdg.gpg \
@@ -346,7 +346,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     && apt-get install -y --no-install-recommends \
     xmlsec1 \
     gettext \
-    postgresql-client-${POSTGRES_VERSION}
+    postgresql-client-${POSTGRES_VERSION} \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 RUN groupadd --system --gid $GID ${DOCKER_USER} && \
       useradd --shell /bin/bash -l -u $UID -g $GID -o -c "" -d /baserow -m ${DOCKER_USER}

changelog/entries/unreleased/refactor/upgrade_sentry_to_resolve_a_cve_in_minimatch.json

@@ -0,0 +1,9 @@
+{
+    "type": "refactor",
+    "message": "Upgrade sentry to resolve a CVE in minimatch",
+    "issue_origin": "github",
+    "issue_number": null,
+    "domain": "core",
+    "bullet_points": [],
+    "created_at": "2026-02-27"
+}

deploy/all-in-one/Dockerfile

@@ -26,9 +26,7 @@ ENV DOCKER_USER=baserow_docker_user \
     BASEROW_PLUGIN_DIR=/baserow/data/plugins
 
 # Runtime dependencies
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update && \
+RUN apt-get update && \
     apt-get upgrade -y && \
     DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt-get install --no-install-recommends -y \
     curl gnupg2 ca-certificates && \
@@ -44,6 +42,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     gettext \
     tini \
     tzdata-legacy \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* \
     && \
     # Setup user and group with fixed UID/GID for volume permission consistency
     getent group "$GID" || groupadd --system --gid "$GID" "${DOCKER_USER}" && \
@@ -117,15 +116,15 @@ ARG GID
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 # Install postgres + redis (PGDG repo already added in base stage)
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    curl -fsSL https://packages.redis.io/gpg | gpg --batch --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \
+RUN curl -fsSL https://packages.redis.io/gpg | gpg --batch --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg && \
     echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb trixie main" > /etc/apt/sources.list.d/redis.list && \
     apt-get update && \
     apt-get install --no-install-recommends -y \
     "postgresql-${POSTGRES_VERSION}" \
     "postgresql-${POSTGRES_VERSION}-pgvector" \
-    redis && \
+    redis \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* \
+    && \
     # Setup redis
     usermod -a -G tty redis && \
     sed -i 's/daemonize yes/daemonize no/g' /etc/redis/redis.conf && \

justfile

@@ -830,6 +830,7 @@ dc-prod *ARGS:
     if [ -z "{{ ARGS }}" ]; then
         just _dc_help
     else
+        export BASEROW_PUBLIC_URL="${BASEROW_PUBLIC_URL:-http://localhost}"
         VERSION="${BASEROW_VERSION:-latest}"
         if [ "$VERSION" = "latest" ] || [ -z "$BASEROW_VERSION" ]; then
             # Build locally for latest/unset

web-frontend/Dockerfile

@@ -1,4 +1,5 @@
 # syntax=docker/dockerfile:1.4
+ARG NODE_BASE_IMAGE="node:24.14.0-trixie-slim"
 ARG UID="9999"
 ARG GID="9999"
 
@@ -27,7 +28,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
 # =============================================================================
 # CI builder stage
 # =============================================================================
-FROM node:24.13.0-trixie-slim AS builder-ci
+FROM ${NODE_BASE_IMAGE} AS builder-ci
 ARG UID
 ARG GID
 
@@ -51,7 +52,7 @@ RUN --mount=type=cache,target=$YARN_CACHE_FOLDER,uid=$UID,gid=$GID,sharing=locke
 # =============================================================================
 # Production builder stage
 # =============================================================================
-FROM node:24.13.0-trixie-slim AS builder-prod
+FROM ${NODE_BASE_IMAGE} AS builder-prod
 ARG UID
 ARG GID
 
@@ -99,12 +100,16 @@ FROM busybox:musl AS busybox-helper
 # =============================================================================
 # CI target - used in CI pipelines
 # =============================================================================
-FROM node:24.13.0-trixie-slim AS ci
+FROM ${NODE_BASE_IMAGE} AS ci
 ARG UID
 ARG GID
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+# Upgrade OS packages to patch CVEs in base image
+RUN apt-get update && apt-get upgrade -y --no-install-recommends \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
 ENV DOCKER_USER=baserow_docker_user \
     APP_ENV=test \
     BASEROW_IMAGE_TYPE="web-frontend"
@@ -150,7 +155,7 @@ CMD ["nuxt-prod"]
 # =============================================================================
 # Development target - used for local development with live reload
 # =============================================================================
-FROM node:24.13.0-trixie-slim AS dev
+FROM ${NODE_BASE_IMAGE} AS dev
 ARG UID
 ARG GID
 
@@ -238,7 +243,7 @@ CMD ["nuxt-dev"]
 # =============================================================================
 # Production target - minimal image with only runtime requirements
 # =============================================================================
-FROM node:24.13.0-trixie-slim AS local
+FROM ${NODE_BASE_IMAGE} AS local
 ARG UID
 ARG GID
 
@@ -254,8 +259,12 @@ COPY --from=tool-builder /usr/local/bin/su-exec /usr/local/bin/su-exec
 COPY --from=tool-builder /usr/bin/tini /usr/bin/tini
 COPY --from=busybox-helper /bin/wget /usr/local/bin/wget
 
-# Update npm to patch CVEs in its bundled deps (glob, tar, @isaacs/brace-expansion)
-RUN npm install -g npm@latest
+# Upgrade OS packages to patch CVEs in base image
+RUN apt-get update && apt-get upgrade -y --no-install-recommends \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Remove npm (not needed at runtime) to eliminate CVEs in its bundled deps (minimatch, glob, etc.)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
 
 RUN groupadd --system --gid $GID ${DOCKER_USER} && \
     useradd --shell /bin/bash -l -u $UID -g $GID -o -c "" -d /baserow -m ${DOCKER_USER}

web-frontend/package.json

@@ -31,9 +31,9 @@
   },
   "dependencies": {
     "@nuxtjs/i18n": "10.2.1",
-    "@sentry/node": "^10.38.0",
-    "@sentry/nuxt": "^10.38.0",
-    "@sentry/vue": "^10.38.0",
+    "@sentry/node": "10.40.0",
+    "@sentry/nuxt": "10.40.0",
+    "@sentry/vue": "10.40.0",
     "@tiptap/core": "^3.13.0",
     "@tiptap/extension-blockquote": "^3.13.0",
     "@tiptap/extension-bold": "^3.13.0",