From e40b1d474f3c2a97d3b19b5c3529bbee5e1e1815 Mon Sep 17 00:00:00 2001
From: Makar Dzhehur <makardzhehur2@gmail.com>
Date: Wed, 20 May 2026 09:37:21 +0300
Subject: [PATCH 1/4] fix(security): upgrade npm in Docker images to patch
 picomatch, brace-expansion, ip-address CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  CVEs addressed:
  - CVE-2026-33671 (HIGH)  picomatch 4.0.3 → 4.0.4  ReDoS via extglob   - CVE-2026-33672 (MEDIUM) picomatch 4.0.3 → 4.0.4  method injection via POSIX bracket
  - CVE-2026-45149 (MEDIUM) brace-expansion 5.0.4 → 5.0.6  large numeric range DoS
  - CVE-2026-33750 (MEDIUM) brace-expansion 5.0.4 → 5.0.5  zero-step DoS
  - CVE-2026-42338 (MEDIUM) ip-address 10.1.0 → 10.1.1

  All vulns live in npm's own bundled deps at usr/local/lib/node_modules/npm/node_modules/.
  Fix: upgrade npm@latest in base and runner stages of all three Dockerfiles.
---
 apps/api/Dockerfile | 2 ++
 apps/bot/Dockerfile | 2 ++
 apps/web/Dockerfile | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index d942a41..f1c1dbf 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -1,5 +1,6 @@
 FROM node:24-alpine AS base
 WORKDIR /app
+RUN npm install -g npm@latest
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -36,6 +37,7 @@ RUN pnpm --filter fintrack-api deploy --prod /deploy
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
+RUN npm install -g npm@latest
 
 ENV NODE_ENV=production
 
diff --git a/apps/bot/Dockerfile b/apps/bot/Dockerfile
index f5597fd..e73ec0e 100644
--- a/apps/bot/Dockerfile
+++ b/apps/bot/Dockerfile
@@ -1,5 +1,6 @@
 FROM node:24-alpine AS base
 WORKDIR /app
+RUN npm install -g npm@latest
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -33,6 +34,7 @@ RUN pnpm --filter fintrack-bot deploy --prod /deploy
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
+RUN npm install -g npm@latest
 
 ENV NODE_ENV=production
 
diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index f1a774a..bbb8923 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -1,5 +1,6 @@
 FROM node:24-alpine AS base
 WORKDIR /app
+RUN npm install -g npm@latest
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -33,6 +34,7 @@ RUN pnpm --filter fintrack-web build
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
+RUN npm install -g npm@latest
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV HOSTNAME=0.0.0.0

From 7dc9dd36056409ef729e894aa54d51c0e25e74f2 Mon Sep 17 00:00:00 2001
From: Makar Dzhehur <makardzhehur2@gmail.com>
Date: Wed, 20 May 2026 10:53:04 +0300
Subject: [PATCH 2/4] fix(security): patch brace-expansion to 5.0.6 and add
 workflow_dispatch for branch scanning

---
 .github/workflows/release.yml |  1 +
 apps/api/Dockerfile           | 12 ++++++++++--
 apps/bot/Dockerfile           | 12 ++++++++++--
 apps/web/Dockerfile           | 12 ++++++++++--
 4 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c4b8564..0de0e42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
     branches: [master, main]
   push:
     branches: [master, main]
+  workflow_dispatch:
 
 jobs:
   build-scan:
diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index f1c1dbf..087ffc9 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -1,6 +1,10 @@
 FROM node:24-alpine AS base
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -37,7 +41,11 @@ RUN pnpm --filter fintrack-api deploy --prod /deploy
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 
 ENV NODE_ENV=production
 
diff --git a/apps/bot/Dockerfile b/apps/bot/Dockerfile
index e73ec0e..6eae2c2 100644
--- a/apps/bot/Dockerfile
+++ b/apps/bot/Dockerfile
@@ -1,6 +1,10 @@
 FROM node:24-alpine AS base
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -34,7 +38,11 @@ RUN pnpm --filter fintrack-bot deploy --prod /deploy
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 
 ENV NODE_ENV=production
 
diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile
index bbb8923..fce7763 100644
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -1,6 +1,10 @@
 FROM node:24-alpine AS base
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 COPY package.json /tmp/package.json
 RUN corepack enable && \
     PNPM_VERSION=$(node -e "process.stdout.write(require('/tmp/package.json').packageManager.split('@')[1])") && \
@@ -34,7 +38,11 @@ RUN pnpm --filter fintrack-web build
 # ── runner ────────────────────────────────────────────────────────────────────
 FROM node:24-alpine AS runner
 WORKDIR /app
-RUN npm install -g npm@latest
+RUN npm install -g npm@latest && \
+    mkdir -p /tmp/patch && cd /tmp/patch && npm init -y && \
+    npm install brace-expansion@^5.0.6 && \
+    cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \
+    rm -rf /tmp/patch
 ENV NODE_ENV=production
 ENV NEXT_TELEMETRY_DISABLED=1
 ENV HOSTNAME=0.0.0.0

From d246edd2e2815b4e644147f862985d0f0e464121 Mon Sep 17 00:00:00 2001
From: Makar Dzhehur <makardzhehur2@gmail.com>
Date: Wed, 20 May 2026 11:21:04 +0300
Subject: [PATCH 3/4] =?UTF-8?q?ci:=20fix=20workflow=5Fdispatch=20scan=20?=
 =?UTF-8?q?=E2=80=94=20push=20image=20to=20GHCR=20so=20Trivy=20can=20find?=
 =?UTF-8?q?=20it?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0de0e42..1f5a8c8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -37,7 +37,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Log in to GHCR (push only)
-        if: github.event_name == 'push'
+        if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -53,7 +53,7 @@ jobs:
         with:
           context: .
           file: ${{ matrix.dockerfile }}
-          push: ${{ github.event_name == 'push' }}
+          push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
           load: ${{ github.event_name == 'pull_request' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

From 6b7a08201c18e131469cc280601834457eabeedb Mon Sep 17 00:00:00 2001
From: Makar Dzhehur <makardzhehur2@gmail.com>
Date: Wed, 20 May 2026 11:31:13 +0300
Subject: [PATCH 4/4] ci: bump docker/login-action and
 docker/setup-buildx-action to v4 (Node.js 24)

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1f5a8c8..d42934c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,11 +34,11 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GHCR (push only)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}