self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-10-31 00:07:48 +02:00
Code Issues Releases Activity

Server: Pin pm2-logrotate version to prevent supply chain attacks (#13235)

Browse Source
This commit is contained in:
Laurent Cozic
2025-09-18 12:03:57 +01:00
committed by GitHub
parent a118615e06
commit 6f375be8b9
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile.server
View File

@@ -73,8 +73,10 @@ USER $user
COPY --chown=$user:$user --from=builder /build/packages /home/$user/packages COPY --chown=$user:$user --from=builder /build/packages /home/$user/packages
COPY --chown=$user:$user --from=builder /usr/bin/tini /usr/local/bin/tini COPY --chown=$user:$user --from=builder /usr/bin/tini /usr/local/bin/tini
# Install pm2-logrotate and default settings as the runtime user # We download a specific version of the plugin to prevent pm2 from fetching the latest, since it may
RUN pm2 install pm2-logrotate \ # not have been properly audited (that fact was used to spread malware at some point). Ref:
# https://github.com/laurent22/joplin/issues/12754
RUN pm2 install https://registry.npmjs.org/pm2-logrotate/-/pm2-logrotate-3.0.0.tgz \
&& pm2 set pm2-logrotate:max_size 100MB \ && pm2 set pm2-logrotate:max_size 100MB \
&& pm2 set pm2-logrotate:retain 5 \ && pm2 set pm2-logrotate:retain 5 \
&& pm2 set pm2-logrotate:compress true && pm2 set pm2-logrotate:compress true