Always update to latest npm when building docker image

[joehan]

Description

We've been getting flagged for some vulnerable deps on this image that are coming from NPM itself. To ensure that we get the very latest fixes, adding a step to update npm itself.

This won't directly fix all the open vulnerabilities, since some of them are merged into npm but not on a released version. However, this will save us in cases where the lts-alpine image doesn't get updated in a timely manner.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving the security and maintainability of the Docker image by ensuring that the Node Package Manager (npm) itself is always updated to its latest version during the image build. This proactive measure helps mitigate vulnerabilities stemming from npm's bundled dependencies and ensures that the image benefits from the most recent security patches and improvements, even if the base lts-alpine image isn't updated immediately.

Highlights

• Dependency Security: Addressed potential vulnerabilities by ensuring the Docker image uses the latest version of npm, which helps in pulling the most recent fixes for bundled dependencies.
• Docker Image Build Process: Modified the Dockerfile to explicitly update npm to its latest version early in the build process, enhancing the security posture of the resulting image.
• Package Dependency Updates: Updated several key dependencies and their overrides in package.json and package-lock.json, including tar, minimatch, balanced-match, and brace-expansion, to newer, more secure versions.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• scripts/publish/firebase-docker-image/Dockerfile
  • Added a RUN command to globally install the latest version of npm at the beginning of the Docker image build.
• scripts/publish/firebase-docker-image/package-lock.json
  • Updated balanced-match to version 4.0.4.
  • Updated brace-expansion to version 5.0.4.
  • Updated minimatch to version 10.2.4.
  • Updated tar to version 7.5.11.
  • Removed various nested dependency entries for @isaacs/balanced-match, @isaacs/brace-expansion, cacache/node_modules/minimatch, concat-map, glob/node_modules/brace-expansion, glob/node_modules/minimatch, readdir-glob/node_modules/brace-expansion, readdir-glob/node_modules/minimatch, superstatic/node_modules/brace-expansion, and superstatic/node_modules/minimatch, reflecting a flatter dependency tree or removal of older versions.
• scripts/publish/firebase-docker-image/package.json
  • Updated the tar override version to ^7.5.8.
  • Added a minimatch override with version ^10.2.3.

Activity

• No human activity (comments, reviews, etc.) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the Docker build process to always install the latest version of npm, aiming to mitigate vulnerabilities present in npm's bundled dependencies. It also updates package overrides in package.json and regenerates the package-lock.json file. The changes are logical and address the stated goal. I have one suggestion for the Dockerfile to optimize the image build by reducing the number of layers.

[gemini-code-assist]

To optimize the Docker image size and reduce the number of layers, it's a good practice to chain RUN commands together using &&. This RUN command could be combined with the next one on line 7.

For example:

RUN npm install -g npm@latest && \
    apk update && \
    apk add --no-cache python3 openjdk21-jre-headless bash && \
    ...

This creates a single layer for multiple commands, leading to a more efficient image. You could also consider adding npm cache clean --force after the npm install to further reduce the layer size.