Conversation
WalkthroughSwitched Docker bases to Alpine, added npm/proxy/registry build args and config, introduced tsconfig.tsoa.json and relaxed TypeScript strictness, updated package.json tsoa build script and devDependencies, minor whitespace fix in a test file. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
Tip 🔌 Remote MCP (Model Context Protocol) integration is now available!Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats. ✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
backend/package.json (1)
6-16: Aim TSOA at a relaxed tsconfig instead of relaxing the entire project.Your current ‘tsoa’ script compiles src/tsoa.ts with the project’s tsconfig, which prompted broad flag downgrades. Prefer a dedicated tsconfig (e.g., tsconfig.tsoa.json) referenced only by this script to keep the rest of the app strict.
You can adjust scripts like so (see detailed configs in my tsconfig.json comment):
{ "scripts": { "tsoa": "mkdir -p src/routes src/api && tsc -p tsconfig.tsoa.json --outDir dist && node dist/tsoa.js", "build": "tsc -p tsconfig.build.json --outDir dist" } }
🧹 Nitpick comments (1)
backend/package.json (1)
41-41: Consider pinning tsoa if the breakage stems from its transitive deps.If the “broken deps in tsoa” is due to a transitive that changed behavior, you might want to temporarily pin TSOA to an exact version (no caret) or add an overrides/resolutions entry until upstream stabilizes.
Example:
{ "dependencies": { "tsoa": "6.5.1" }, "overrides": { // Example: "some-transitive-pkg": "x.y.z" } }
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (1)
backend/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (3)
backend/package.json(1 hunks)backend/src/controllers/bulk.webhook.spec.ts(1 hunks)backend/tsconfig.json(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: 🐳 Build docker image
🔇 Additional comments (3)
backend/tsconfig.json (1)
7-7: allowSyntheticDefaultImports is a sensible addition with esModuleInterop.This commonly resolves interop friction in tooling like TSOA and won’t affect runtime. LGTM.
backend/src/controllers/bulk.webhook.spec.ts (1)
46-46: Whitespace-only fix is fine.No behavioral change. Thanks for keeping tests tidy.
backend/package.json (1)
20-20: Dependency reordering and @types/nodemailer removal verifiedThe build and type-check complete without TS7016 errors, confirming that nodemailer v6.9.15 ships the required type definitions and removing
@types/nodemaileris safe. No further changes needed.
| "strict": false, | ||
| "noImplicitReturns": false, | ||
| "noImplicitThis": false, | ||
| "noUnusedLocals": false, | ||
| "noUnusedParameters": false, |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Type-safety was broadly relaxed; scope this to TSOA instead of the whole backend.
Flipping strictness flags to false across the app will let real bugs slip and weaken editor/CI feedback. If these relaxations are required only for TSOA codegen/metadata, isolate them in a dedicated tsconfig used solely by the TSOA build step and keep the main project strict.
Minimal revert within this file:
- "noImplicitAny": false,
+ "noImplicitAny": true,
- "strict": false,
+ "strict": true,
- "noImplicitReturns": false,
+ "noImplicitReturns": true,
- "noImplicitThis": false,
+ "noImplicitThis": true,
- "noUnusedLocals": false,
+ "noUnusedLocals": true,
- "noUnusedParameters": false,
+ "noUnusedParameters": true,Then create a TSOA-only config with relaxed checks and point your TSOA script to it:
- Add a TSOA tsconfig (placed at backend/tsconfig.tsoa.json):
{
"extends": "./tsconfig.json",
"compilerOptions": {
"strict": false,
"noImplicitAny": false,
"noImplicitReturns": false,
"noImplicitThis": false,
"noUnusedLocals": false,
"noUnusedParameters": false,
"allowSyntheticDefaultImports": true
},
"include": ["src/tsoa.ts"] // or whatever entry(s) your tsoa step compiles
}- Optionally add a dedicated build config to keep production builds strict (backend/tsconfig.build.json):
{
"extends": "./tsconfig.json",
"compilerOptions": {
"noEmit": false
},
"include": ["src/**/*"]
}- Update package scripts to use the targeted configs:
{
"scripts": {
"tsoa": "mkdir -p src/routes src/api && tsc -p tsconfig.tsoa.json --outDir dist && node dist/tsoa.js",
"build": "tsc -p tsconfig.build.json --outDir dist"
}
}Would you like me to push a patch with these files and script changes?
Also applies to: 9-9
🤖 Prompt for AI Agents
In backend/tsconfig.json around lines 16-20 the project-wide safety flags were
turned off; revert these to strict=true (and set
noImplicitReturns/noImplicitThis/noUnusedLocals/noUnusedParameters to true) to
keep the main codebase type-safe, then add a separate backend/tsconfig.tsoa.json
that extends ./tsconfig.json and overrides only the TSOA-relaxed options
(strict=false and the other flags false, allowSyntheticDefaultImports=true) with
include pointing at your TSOA entry file(s), add backend/tsconfig.build.json
extending ./tsconfig.json for production builds (e.g., noEmit:false and include
src/**/*), and update package.json scripts so the TSOA generation uses tsc -p
tsconfig.tsoa.json (or a dedicated tsoa script) while the regular build uses tsc
-p tsconfig.build.json --outDir dist.
rhanka
force-pushed
the
fix/tsoa-breaking-deps
branch
2 times, most recently
from
6f5578f to
19bcfb4
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
backend/Dockerfile (4)
21-29: npm noproxy key is likely incorrect; use “noproxy”, quote valuesnpm uses the key noproxy (no hyphen). Also, quoting values prevents issues with special chars/spaces.
-RUN if [ ! -z "$http_proxy" ] ; then \ +RUN if [ -n "$http_proxy" ] ; then \ npm config delete proxy; \ - npm config set proxy $http_proxy; \ - npm config set https-proxy $https_proxy; \ - npm config set no-proxy $no_proxy; \ + npm config set proxy "$http_proxy"; \ + npm config set https-proxy "$https_proxy"; \ + npm config set noproxy "$no_proxy"; \ fi ; \ - [ -z "$npm_registry" ] || npm config set registry=$npm_registry; \ + [ -z "$npm_registry" ] || npm config set registry="$npm_registry"; \ [ -z "$npm_ssl" ] || npm config set strict-ssl false ;If you rely on proxies in production too, note that the production stage doesn’t inherit these settings (see separate comment below).
46-52: Use lockfile and npm ci for reproducible installs and better cachingOnly copying package.json and using npm install leads to non-deterministic dependency trees and cache busts.
-COPY package.json ./ +COPY package.json package-lock.json ./ -RUN if [ -z "${NPM_VERBOSE}" ]; then\ - npm install; \ +RUN if [ -z "${NPM_VERBOSE}" ]; then \ + npm ci; \ else \ - npm install --verbose; \ + npm ci --verbose; \ fiAlso consider adding .npmrc settings that matter (registry, auth) as ARG-templated build-time values rather than global npm config mutations.
101-106: Use npm ci --omit=dev and move audits to CIInstalling without a lockfile and running npm audit in the image slows builds and can fail unpredictably.
-RUN npm install --production && \ - npm config set audit-level high && \ - npm audit --json --registry=https://registry.npmjs.org || ${NPM_AUDIT_DRY_RUN:-false} && \ - npm cache clean --force +COPY package-lock.json ./ +RUN npm ci --omit=dev && npm cache clean --forceRun security audits in CI (e.g., Snyk already green per PR notes) rather than during image build.
113-115: Healthcheck must not kill the container; make it exit non-zero and honor the configured portThe current HEALTHCHECK kills PID 1 when unhealthy, which is not how Docker healthchecks are intended to work and can cause flapping/restart storms. Also, the URL hardcodes port 8080 while the image exposes ${port}.
-HEALTHCHECK --interval=5m --timeout=2m --start-period=45s \ - CMD curl -f --silent --retry 6 --max-time 5 --retry-delay 10 --retry-max-time 60 "http://localhost:8080/deces/api/v1/healthcheck" || bash -c 'kill -s 15 -1 && (sleep 10; kill -s 9 -1)' +HEALTHCHECK --interval=5m --timeout=2m --start-period=45s \ + CMD curl -fsS --retry 6 --max-time 5 --retry-delay 10 --retry-max-time 60 "http://localhost:${port:-8080}/deces/api/v1/healthcheck" || exit 1Let the orchestrator handle restarts on unhealthy containers.
🧹 Nitpick comments (11)
backend/tsconfig.tsoa.json (1)
3-11: Remove redundant option that’s already in base tsconfigallowSyntheticDefaultImports appears to be added in the base backend/tsconfig.json per the PR summary. Keeping it in this child config is redundant and increases drift risk.
- "allowSyntheticDefaultImports": true + // relies on base tsconfigbackend/Dockerfile (10)
4-4: Pin image by digest or add a policy to update regularlyFROM node:20-alpine3.22 is fine, but not pinning a digest can lead to non-reproducible builds as the tag moves. Consider pinning a sha256 digest or using Renovate to track base image updates.
-FROM node:20-alpine3.22 AS base +FROM node:20-alpine3.22@sha256:<digest> AS base
17-19: Avoid apk upgrade in containers; keep images minimalapk upgrade increases image size and may diverge from the tested base. Prefer relying on the upstream base image updates and only apk add the few tools required.
-RUN echo "$http_proxy $no_proxy" && set -x && \ - apk update && apk upgrade && apk add --no-cache curl +RUN set -x && apk add --no-cache curlIf you want the package index cleared, add: rm -rf /var/cache/apk/*
31-31: Upgrading npm to latest can cause hard-to-reproduce buildsBlindly moving to npm@latest at build time may change lockfile semantics. Pin a major version (e.g., npm@10) or avoid unless explicitly needed.
-RUN [ -z "${NPM_LATEST}" ] || npm i npm@latest -g +RUN [ -z "${NPM_LATEST}" ] || npm i -g npm@10
60-64: Avoid defining VOLUME in Dockerfile for app pathsVOLUME here creates anonymous volumes that can mask container writes and complicate cleanup. Prefer bind mounts via docker-compose for dev workflows.
-VOLUME /${app_path}/src -VOLUME /${app_path}/dist -VOLUME /${app_path}/tests -VOLUME /${app_path}/data +# Use volumes in compose/dev, not in the image
78-82: Minor: avoid re-copying tsconfig.json; ensure both configs are availableThe build stage inherits files from development, so copying tsconfig.json again is redundant. If you want a self-contained build stage, copy both configs explicitly.
- COPY tsconfig.json ./ + COPY tsconfig*.json ./
95-99: Set safe defaults for ARGs and avoid copying tests into the runtime imageIf app_path isn’t provided, WORKDIR /$app_path becomes /. Also, tests inflate image size.
-ARG app_path +ARG app_path=/app ... -COPY tests ./tests -# (Optional) keep data if truly needed at runtime +# Avoid copying tests in final image
109-112: You likely don’t need to apk add tar; busybox tar is presentAlpine’s busybox includes tar that can extract .tar.gz. You can avoid installing/removing tar and reduce layers.
-RUN apk --no-cache add curl tar && \ - tar -zxvf dist.tar.gz && \ - rm -rf dist.tar.gz && apk del tar +RUN tar -zxf dist.tar.gz && rm -f dist.tar.gzKeep curl only if needed by the HEALTHCHECK (it is).
117-117: Guard EXPOSE against missing ARG and align with runtimeIf port ARG isn’t provided at build time, EXPOSE ${port} will expand to empty and fail. Provide a default.
-ARG port +ARG port=8080 ... -EXPOSE ${port} +EXPOSE ${port}Also ensure the app honors PORT or the same value at runtime.
14-16: Set a default app_path to avoid WORKDIR=/If app_path is unset, WORKDIR /$app_path becomes /. Provide a sane default once and reuse across stages.
-ARG app_path +ARG app_path=/app WORKDIR /$app_pathApply this in all stages using app_path.
Also applies to: 95-96
10-10: Remove unused build argMIRROR_DEBIAN is defined but not used and the image is Alpine-based.
-ARG MIRROR_DEBIAN
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (1)
backend/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (5)
backend/Dockerfile(4 hunks)backend/package.json(2 hunks)backend/src/controllers/bulk.webhook.spec.ts(1 hunks)backend/tsconfig.json(1 hunks)backend/tsconfig.tsoa.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (3)
- backend/package.json
- backend/src/controllers/bulk.webhook.spec.ts
- backend/tsconfig.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: 🐳 Build docker image
🔇 Additional comments (3)
backend/tsconfig.tsoa.json (1)
12-12: Consider letting TSOA parse controllers without compiling themLimiting include to ["src/tsoa.ts"] is fine if you only transpile the generator. Verify that TSOA’s internal TypeScript program still points at your base tsconfig to analyze controllers. If route/spec generation starts missing decorators or types, you may need to pass the correct tsconfig path to TSOA or ensure controllers are visible to its compiler host (not necessarily to tsc here).
backend/Dockerfile (2)
65-65: Good: copy tsconfig.json to support multiple TS configs*This aligns with the new tsconfig.tsoa.json and avoids missing config issues in dev containers.
83-83: Nice: pack dist as a single artifactCreating dist.tar.gz simplifies copy to the production stage and reduces layer count.
| # Step 4: "production" target # | ||
| ############################### | ||
| FROM node:20-alpine3.18 AS production | ||
| FROM node:20-alpine3.22 AS production |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Production stage drops proxy/registry settings; consider inheriting from base
Production uses a fresh node:20-alpine3.22, so npm proxy/registry settings are lost. If your builds run behind a proxy or need a private registry, either repeat the setup or derive from base.
-FROM node:20-alpine3.22 AS production
+FROM base AS productionAlternatively, duplicate the proxy npm config block in this stage.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM node:20-alpine3.22 AS production | |
| # backend/Dockerfile | |
| # …previous stages… | |
| FROM base AS production | |
| # …rest of production stage… |
🤖 Prompt for AI Agents
In backend/Dockerfile around line 88, the production stage resets npm
proxy/registry settings by starting FROM node:20-alpine3.22 AS production;
either change this stage to inherit the configured base stage (e.g., use FROM
base AS production where "base" is the earlier stage that set npm
proxy/registry) or copy/duplicate the npm proxy/registry setup (the same npm
config / .npmrc creation and ENV settings) into the production stage so proxy
and private registry settings are preserved during production image build.
| "compilerOptions": { | ||
| "strict": false, | ||
| "noImplicitAny": false, | ||
| "noImplicitReturns": false, | ||
| "noImplicitThis": false, | ||
| "noUnusedLocals": false, | ||
| "noUnusedParameters": false, | ||
| "allowSyntheticDefaultImports": true | ||
| }, |
There was a problem hiding this comment.
🛠️ Refactor suggestion
Avoid globally disabling TypeScript safety; scope relaxations to what TSOA actually needs
Turning off strictness and all the implicit/unused checks will hide genuine issues while generating routes/specs. Since this config only compiles src/tsoa.ts, prefer keeping type safety on and selectively relaxing flags that TSOA cannot handle, plus enabling faster compiles.
Apply this diff to tighten the config while improving speed:
"compilerOptions": {
- "strict": false,
- "noImplicitAny": false,
- "noImplicitReturns": false,
- "noImplicitThis": false,
- "noUnusedLocals": false,
- "noUnusedParameters": false,
- "allowSyntheticDefaultImports": true
+ "strict": true,
+ "noImplicitAny": true,
+ "noImplicitReturns": true,
+ "noImplicitThis": true,
+ "noUnusedLocals": false, // keep off if generation trips on unused locals
+ "noUnusedParameters": false, // keep off if generation trips on unused params
+ "skipLibCheck": true, // faster compiles; safe for tool entry points
+ "allowSyntheticDefaultImports": true
},If TSOA breaks under strict, relax only the minimum flags it complains about (typically noUnused*, not the core strictness).
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "compilerOptions": { | |
| "strict": false, | |
| "noImplicitAny": false, | |
| "noImplicitReturns": false, | |
| "noImplicitThis": false, | |
| "noUnusedLocals": false, | |
| "noUnusedParameters": false, | |
| "allowSyntheticDefaultImports": true | |
| }, | |
| "compilerOptions": { | |
| "strict": true, | |
| "noImplicitAny": true, | |
| "noImplicitReturns": true, | |
| "noImplicitThis": true, | |
| "noUnusedLocals": false, // keep off if generation trips on unused locals | |
| "noUnusedParameters": false, // keep off if generation trips on unused params | |
| "skipLibCheck": true, // faster compiles; safe for tool entry points | |
| "allowSyntheticDefaultImports": true | |
| }, |
🤖 Prompt for AI Agents
In backend/tsconfig.tsoa.json around lines 3 to 11, the tsconfig currently
disables TypeScript strictness and all implicit/unused checks which hides real
issues; restore strict mode and core safety flags (set "strict": true and
re-enable "noImplicitAny", "noImplicitReturns", "noImplicitThis") while only
relaxing the specific flags TSOA actually fails on (for example keep
"noUnusedLocals" and "noUnusedParameters" disabled only if TSOA errors require
it), and add compile-speed options such as "incremental": true and
"skipLibCheck": true to speed builds without sacrificing type safety; adjust
only the minimum flags necessary after running TSOA and keep a comment noting
any relaxed flags.
| "noUnusedParameters": false, | ||
| "allowSyntheticDefaultImports": true | ||
| }, | ||
| "include": ["src/tsoa.ts"] |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Confirm Node typings/module resolution come from the base config
src/tsoa.ts uses Node APIs (process.env, paths). Ensure the extended tsconfig.json sets:
- "types": ["node"]
- "moduleResolution": "NodeNext" (or "Node") consistent with your module setting
- "target" and "module" aligned with Node 20.
Run this quick check to confirm:
🏁 Script executed:
#!/bin/bash
# Verify base TS config has Node typings and desired module resolution
rg -nC2 -g 'backend/tsconfig.json' -e '"types"\s*:\s*\[' -e '"moduleResolution"' -e '"target"' -e '"module"'Length of output: 664
Add explicit Node typings to the base TS config
The base backend/tsconfig.json already defines
"module": "commonjs""target": "es2021""moduleResolution": "node"
but it does not explicitly include the Node type definitions. Please update backend/tsconfig.json under compilerOptions to add:
--- a/backend/tsconfig.json
+++ b/backend/tsconfig.json
@@ -4,6 +4,7 @@
"skipLibCheck": true,
"esModuleInterop": true,
"allowSyntheticDefaultImports": true,
+ "types": ["node"],
"module": "commonjs",
"target": "es2021",
"moduleResolution": "node",This ensures that backend/tsconfig.tsoa.json (which extends the base config) picks up the Node API typings (process.env, filesystem paths, etc.). If you plan to adopt ECMAScript modules in the future, you may also wish to switch "module" to "es2021" (or later) and "moduleResolution" to "nodenext".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "include": ["src/tsoa.ts"] | |
| { | |
| "compilerOptions": { | |
| "skipLibCheck": true, | |
| "esModuleInterop": true, | |
| "allowSyntheticDefaultImports": true, | |
| "types": ["node"], | |
| "module": "commonjs", | |
| "target": "es2021", | |
| "moduleResolution": "node" | |
| // …other options… | |
| }, | |
| // …rest of the config… | |
| } |
🤖 Prompt for AI Agents
In backend/tsconfig.tsoa.json around line 12, the project inherits from
backend/tsconfig.json which lacks explicit Node typings; update
backend/tsconfig.json under the "compilerOptions" section to add "types":
["node"] (so the Node API types like process.env and fs are available to
extensions such as tsconfig.tsoa.json); keep existing compilerOptions and only
add the types array, or if you have other global types, include "node" alongside
them.
19bcfb4 to
93da676
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
backend/Dockerfile (2)
113-119: Fix HEALTHCHECK on Alpine: replace bash with sh and avoid hard-coded port 8080Alpine images don’t include bash by default, so the current healthcheck will fail when the curl check fails. It also hard-codes port 8080 while the image exposes ${port}. Recommend switching to /bin/sh and parameterizing the port via an ENV that expands at runtime. Also, healthchecks should report status, not kill the container; let the orchestrator handle restarts.
Apply:
-ENV NODE_ENV=production +ENV NODE_ENV=production +ENV PORT=${port} -HEALTHCHECK --interval=5m --timeout=2m --start-period=45s \ - CMD curl -f --silent --retry 6 --max-time 5 --retry-delay 10 --retry-max-time 60 "http://localhost:8080/deces/api/v1/healthcheck" || bash -c 'kill -s 15 -1 && (sleep 10; kill -s 9 -1)' +HEALTHCHECK --interval=5m --timeout=2m --start-period=45s \ + CMD sh -c 'curl -fsS --retry 6 --max-time 5 --retry-delay 10 --retry-max-time 60 "http://localhost:${PORT}/deces/api/v1/healthcheck"'
46-52: Use lockfile + npm ci for deterministic, smaller, and faster installsBoth dev and prod stages ignore package-lock.json and use
npm install. Prefernpm ciand copy package-lock to guarantee reproducible builds and avoid accidental upgrades. In prod, use--omit=dev.-COPY package.json ./ +COPY package*.json ./ -RUN if [ -z "${NPM_VERBOSE}" ]; then\ - npm install; \ - else \ - npm install --verbose; \ - fi +RUN if [ -z "${NPM_VERBOSE}" ]; then \ + npm ci; \ + else \ + npm ci --verbose; \ + fi-COPY package.json ./ +COPY package*.json ./ -# Install production dependencies and clean cache -RUN npm install --production && \ +# Install production dependencies and clean cache +RUN npm ci --omit=dev && \ npm config set audit-level high && \ npm audit --json --registry=https://registry.npmjs.org || ${NPM_AUDIT_DRY_RUN:-false} && \ npm cache clean --forceAlso applies to: 97-105
♻️ Duplicate comments (1)
backend/Dockerfile (1)
88-88: Production stage drops npm proxy/registry config by not inheriting baseProduction starts FROM a fresh node:20-alpine3.22, so any npm proxy/registry settings configured in base are lost before npm install. If you require proxies or a private registry in production, inherit from base or duplicate the config.
-FROM node:20-alpine3.22 AS production +FROM base AS productionIf you adopt this, ensure you’re not unintentionally carrying over a relaxed
strict-sslinto production; consider explicitly re-enabling it there if needed.
🧹 Nitpick comments (4)
backend/Dockerfile (4)
80-81: Keep tsconfig copy patterns consistent across stagesDev copies
tsconfig*.jsonbut build copies onlytsconfig.json. If build or tooling (e.g., tsoa) relies ontsconfig.tsoa.json, builds may break or behave differently than dev.-COPY tsconfig.json ./ +COPY tsconfig*.json ./
98-100: Avoid copying tests and data into the production imageTests and sample data inflate the image and can accidentally leak fixtures. Prefer excluding them from the prod stage, or mount at runtime if needed.
-COPY tests ./tests -COPY data ./data +# tests and dev data are intentionally excluded from production
95-119: Run the app as a non-root user in productionHarden the image by dropping root. Node images include a
nodeuser; ensure ownership before switching.WORKDIR /$app_path @@ COPY --from=build /${app_path}/dist.tar.gz /${app_path}/ RUN apk --no-cache add curl tar && \ tar -zxvf dist.tar.gz && \ - rm -rf dist.tar.gz && apk del tar + rm -rf dist.tar.gz && \ + chown -R node:node /${app_path} && \ + apk del tar + +USER nodeNote: if you keep installing prod deps as root into a global prefix, ensure they remain readable by
node.
22-29: Use the proper npm “noproxy” key or rely on NO_PROXY envThe npm config key is spelled
noproxy(no dash) and by default inherits the value of your NO_PROXY/no_proxy environment variable. The linenpm config set no-proxy $no_proxywill create an unrecognized setting and have no effect. You can:
- Remove it entirely and let npm honor NO_PROXY/no_proxy
- Or correct it to the documented key:
- npm config set no-proxy $no_proxy; \ + npm config set noproxy $no_proxy; \Locations to update:
- backend/Dockerfile lines 22–29
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (4)
backend/Dockerfile(4 hunks)backend/package.json(2 hunks)backend/tsconfig.json(1 hunks)backend/tsconfig.tsoa.json(1 hunks)
🚧 Files skipped from review as they are similar to previous changes (3)
- backend/tsconfig.tsoa.json
- backend/tsconfig.json
- backend/package.json
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: 🐳 Build docker image
| # update alpine w/proxy & mirror | ||
| RUN echo "$http_proxy $no_proxy" && set -x && \ | ||
| apk update && apk upgrade && apk add --no-cache curl |
There was a problem hiding this comment.
Don’t echo proxy values into image layers (secrets leak risk)
echo "$http_proxy $no_proxy" writes potentially credentialed proxy URLs into the image layer history. Remove it to avoid leaking secrets via docker history.
-# update alpine w/proxy & mirror
-RUN echo "$http_proxy $no_proxy" && set -x && \
- apk update && apk upgrade && apk add --no-cache curl
+# update alpine
+RUN apk update && apk upgrade && apk add --no-cache curl📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # update alpine w/proxy & mirror | |
| RUN echo "$http_proxy $no_proxy" && set -x && \ | |
| apk update && apk upgrade && apk add --no-cache curl | |
| # update alpine | |
| RUN apk update && apk upgrade && apk add --no-cache curl |
🤖 Prompt for AI Agents
In backend/Dockerfile around lines 17-19, the RUN command currently echoes
"$http_proxy $no_proxy" which writes sensitive proxy URLs into the image layer
history; remove that echo from the RUN line so the command just performs set -x
&& apk update && apk upgrade && apk add --no-cache curl, and if you need to
validate proxy configuration during builds do so outside of the image (use
build-time logs, CI job checks, or docker build args inspected at build time)
rather than printing environment variables into a layer.
1 participant
Summary by CodeRabbit
Chores
Tests
No user-facing functional changes.