Skip to content

fix: Docker distroless build failure and critical security updates #22601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
robobun wants to merge 2 commits into from
Closed

fix: Docker distroless build failure and critical security updates #22601

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
62ad6a2
fix: Docker distroless build failure and security updates
Sep 12, 2025
7e2d748
chore: remove unnecessary test script
Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions dockerhub/alpine/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.20 AS build
FROM alpine:3.21 AS build

# https://github.com/oven-sh/bun/releases
ARG BUN_VERSION=latest
Expand Down Expand Up @@ -44,7 +44,7 @@ RUN apk --no-cache add ca-certificates curl dirmngr gpg gpg-agent unzip \
&& rm -f "bun-linux-$build.zip" SHASUMS256.txt.asc SHASUMS256.txt \
&& chmod +x /usr/local/bin/bun

FROM alpine:3.20
FROM alpine:3.21

# Disable the runtime transpiler cache by default inside Docker containers.
# On ephemeral containers, the cache is not useful
Expand Down
17 changes: 9 additions & 8 deletions dockerhub/distroless/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ RUN apt-get update -qq \
&& which bun \
&& bun --version

FROM gcr.io/distroless/base-nossl-debian11
FROM gcr.io/distroless/base-nossl-debian12

# Disable the runtime transpiler cache by default inside Docker containers.
# On ephemeral containers, the cache is not useful
Expand All @@ -69,16 +69,17 @@ ENV BUN_INSTALL_BIN=${BUN_INSTALL_BIN}
COPY --from=build /usr/local/bin/bun /usr/local/bin/
ENV PATH "${PATH}:/usr/local/bun-node-fallback-bin"

# Temporarily use the `build`-stage image binaries to create a symlink:
# Temporarily use the `build`-stage image binaries to create symlinks:
# We must use the shell from the build stage since distroless has no shell
RUN --mount=type=bind,from=build,source=/usr/bin,target=/usr/bin \
--mount=type=bind,from=build,source=/bin,target=/bin \
--mount=type=bind,from=build,source=/usr/lib,target=/usr/lib \
--mount=type=bind,from=build,source=/lib,target=/lib \
<<EOF
ln -s /usr/local/bin/bun /usr/local/bin/bunx
which bunx
mkdir -p /usr/local/bun-node-fallback-bin
ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/nodebun
EOF
/bin/sh -c ' \
ln -s /usr/local/bin/bun /usr/local/bin/bunx && \
which bunx && \
mkdir -p /usr/local/bun-node-fallback-bin && \
ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/node \
'
Comment on lines +72 to +83
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

“which” may be unavailable; use POSIX builtin and make symlinks idempotent.

On Debian slim, which isn’t guaranteed (and the mounted build stage may not have it). Use command -v (POSIX builtin) and make ln idempotent with -sf to avoid failures on cache rebuilds.

 RUN --mount=type=bind,from=build,source=/usr/bin,target=/usr/bin \
     --mount=type=bind,from=build,source=/bin,target=/bin \
     --mount=type=bind,from=build,source=/usr/lib,target=/usr/lib \
     --mount=type=bind,from=build,source=/lib,target=/lib \
-    /bin/sh -c ' \
-      ln -s /usr/local/bin/bun /usr/local/bin/bunx && \
-      which bunx && \
-      mkdir -p /usr/local/bun-node-fallback-bin && \
-      ln -s /usr/local/bin/bun /usr/local/bun-node-fallback-bin/node \
-    '
+    /bin/sh -c ' \
+      ln -sf /usr/local/bin/bun /usr/local/bin/bunx && \
+      command -v bunx >/dev/null && \
+      mkdir -p /usr/local/bun-node-fallback-bin && \
+      ln -sf /usr/local/bin/bun /usr/local/bun-node-fallback-bin/node \
+    '
🤖 Prompt for AI Agents 
In dockerhub/distroless/Dockerfile around lines 72 to 83, the RUN uses the
external which and non-idempotent ln calls; replace uses of which with the POSIX
builtin command -v to check for bun and change ln to use -sf (force/symbolic) so
creating symlinks is idempotent and won’t fail on cache rebuilds or when which
is absent; ensure the shell invocation uses /bin/sh -c as before and adjust the
single-quoted command to perform command -v bun >/dev/null 2>&1 and create
symlinks with ln -sf.


ENTRYPOINT ["/usr/local/bin/bun"]