fix(docker): reduce image layers by merging RUN instructions (fixes OWASP#3690)

[ScienHAC]

Proposed change

Resolves #3690

This PR optimizes the Docker build process by reducing the number of image layers in docker/frontend/Dockerfile.

Summary of changes

• In the builder stage, directory setup commands were merged with the apk package note installation into a single RUN instruction.
• In the runner stage, npm vulnerability fix commands were merged with user/group creation into one RUN instruction.
• Removed inline comments inside chained RUN commands to avoid Dockerfile syntax issues.

Benefits

• Fewer Docker layers
• Smaller image size
• Faster build times
• Cleaner and more maintainable Dockerfile

Checklist

• Required: I followed the contributing workflow
• Required: I verified that my code works as intended and resolves the issue
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, tests, or communication related to this PR

[github-actions]

The linked issue must be assigned to the PR author.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Summary by CodeRabbit

• Chores
  • Enhanced build process reliability through optimized Docker configuration and dependency version validation in the build pipeline.

Walkthrough

The Docker frontend Dockerfile is optimized by merging multiple RUN instructions in the builder stage to reduce image layers. The runner stage is enhanced with an explicit version check for the @isaacs/brace-expansion dependency (version 5.0.1) before npm pack, with command reordering to validate the dependency version prior to subsequent operations.

Changes

Cohort / File(s)	Summary
Docker Optimization docker/frontend/Dockerfile	Builder stage consolidates APK cache directory creation and symlink into a single RUN instruction. Runner stage adds a pre-check for @isaacs/brace-expansion version 5.0.1 before npm pack and reorders steps to perform version validation before group/user creation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Optimize frontend docker image  #1323: Modifies frontend Dockerfile's runner stage with user/group creation and command ordering changes that overlap with version-check and step reordering in this PR.
• Update docker files location #3112: Updates docker/frontend Dockerfile with build step and command ordering refactoring related to the dependency and sequence management in this PR.
• Improve APK cache handling in docker #1523: Modifies APK cache handling in frontend Dockerfile, directly related to the APK cache consolidation changes in the builder stage.

Suggested labels

frontend, docker

Suggested reviewers

• arkid15r
• kasya

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

[Copilot]

Pull request overview

This PR optimizes the Docker build process for the frontend service by consolidating multiple RUN instructions into fewer commands, which reduces the number of image layers and potentially improves build efficiency.

Changes:

• Merged directory setup and symlink creation with apk package installation in the builder stage
• Consolidated npm vulnerability fixes (tar@7.5.7 and @isaacs/brace-expansion@5.0.1) with user/group creation in the runner stage
• Removed inline comments from within chained RUN commands to prevent Dockerfile syntax issues

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Merging the CVE vulnerability fixes with user/group creation creates a problematic dependency. If the npm vulnerability fixes fail (e.g., due to version unavailability or network issues), the system users won't be created, which will cause the container to fail at runtime when trying to switch to the 'nextjs' user.

These operations are semantically distinct: the CVE fixes are temporary workarounds that might need to be removed in the future when base images are updated, while user creation is a permanent structural requirement for the container.

Consider separating user creation into its own RUN instruction after the CVE fixes. This improves maintainability and ensures the container has the necessary users even if CVE fix commands need to be modified or removed. The additional layer from user creation is negligible compared to the reliability benefit.

Suggested change

	grep -q '"version": "5.0.1"' "${BRACE_DIR}/package.json" && \
	addgroup --system --gid 1001 nodejs && \
	grep -q '"version": "5.0.1"' "${BRACE_DIR}/package.json"
	RUN addgroup --system --gid 1001 nodejs && \

[Copilot]

The removed comment "Fix CVE-2026-25547: Update npm's bundled @isaacs/brace-expansion to 5.0.1 in runner stage" should be preserved above the RUN instruction as a standalone comment. This documentation is important for understanding why this specific package update is being performed and makes future maintenance easier when determining if the fix can be removed.

Move the comment to line 65 (or the line before the cd /tmp command) as a separate comment line rather than removing it entirely.

Suggested change

	grep -q 'version.*7.5.7' "${TAR_DIR}/package.json" && \
	grep -q 'version.*7.5.7' "${TAR_DIR}/package.json" && \
	# Fix CVE-2026-25547: Update npm's bundled @isaacs/brace-expansion to 5.0.1 in runner stage