From 771ffdc7ccee2fe12fef7f4d9c325a2a8ae21850 Mon Sep 17 00:00:00 2001
From: Manuel Raynaud <manu@raynaud.io>
Date: Mon, 31 Mar 2025 20:25:00 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A5(y-provider)=20remove=20npm=20in=20?=
 =?UTF-8?q?docker=20image?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We use yarn and not npm, we remove npm because it has a dependencie with
cross-spawn which has a CVE.
---
 src/frontend/servers/y-provider/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/frontend/servers/y-provider/Dockerfile b/src/frontend/servers/y-provider/Dockerfile
index 7ed5a2e7..2e16bdd5 100644
--- a/src/frontend/servers/y-provider/Dockerfile
+++ b/src/frontend/servers/y-provider/Dockerfile
@@ -31,6 +31,9 @@ COPY --from=y-provider-builder \
 
 RUN NODE_ENV=production yarn install --frozen-lockfile
 
+# Remove npm, contains CVE related to cross-spawn and we don't use it.
+RUN rm -rf /usr/local/bin/npm /usr/local/lib/node_modules/npm
+
 # Un-privileged user running the application
 ARG DOCKER_USER
 USER ${DOCKER_USER}