deploy CI fails on npm ci resolving bchen-sqlite-migrate@git+https://...
#11
brendan
commented
Owner
> **Originally filed:** 2026-05-12 in ~/bugs.md, block #3.
<!-- Resolved 2026-05-12 — PR https://gitea.bchen.dev/brendan/nanodrop/pulls/10 (merge_commit 6e6f4b1acf1f0f55efedb507dacc18b233da45a8) — 3-line Dockerfile change: bumped FROM node:22-alpine → node:24-alpine (line 1), updated the comment to mention better-sqlite3 + npm git-URL deps (line 3), and added `git` to the apk install line (line 4). No package.json/lockfile changes. Verified: `better-sqlite3@^12.6.2`, `bcrypt@^6.0.0`, `fastify@^5.7.4`, `tsx@^4.21.0`, `vitest@^4.0.18` all ship Node-24 prebuilds or are pure JS — no version bumps needed. Lockfile already pins `bchen-sqlite-migrate` to commit SHA `7dbce6637c…` (good supply-chain hygiene); npm enforces the SHA on `npm ci`. Security audit: `src/` has zero `child_process`/`spawn`/`exec` callsites, so adding `git` to the runtime image does not give app code a new shell-out primitive (footgun is purely "if you already have RCE you also have git"). Refactor pass: noop on a 3-line diff. Local `docker build` not exercised (sandbox blocks docker socket); deploy host will exercise the real path. Companion items: authd resolved earlier today (PR 16); buchinese remains pending.
**2026-05-12 — nanodrop: deploy CI fails on `npm ci` resolving `bchen-sqlite-migrate@git+https://...` — `node:22-alpine` build image lacks `git`; also bump base to `node:24-alpine` to match authd's npm-11 stack**
User-reported via spawn-host (2026-05-12). CI failure on commit `83a128f9`: https://gitea.bchen.dev/brendan/nanodrop/actions/runs/23 job 166. Re-fetch with `curl -H "Authorization: token $TOK" https://gitea.bchen.dev/api/v1/repos/brendan/nanodrop/actions/jobs/166/logs`. Failure trace is byte-identical to authd's `ENOENT spawn git` pattern (see the companion authd item above for the verbatim excerpt).
**Root cause:** `~/nanodrop/Dockerfile` uses `node:22-alpine` (line 1) and does not install `git` (line 4: `RUN apk add --no-cache python3 make g++`). Two issues: (1) missing `git` causes `npm ci` to fail when resolving `bchen-sqlite-migrate@git+https://...`; (2) `node:22-alpine`'s npm 10.9 is vulnerable to the EBADPLATFORM trap on nested `@esbuild/*` platform-specific optional deps — latent in nanodrop's current lockfile but a regression waiting to happen the moment a dep pulls in a fresh vitest. Aligning with authd's `node:24-alpine` (npm 11.x) avoids the second issue defensively.
**Fix** — `~/nanodrop/Dockerfile:1, :4`, bump base AND add `git`:
```dockerfile
FROM node:24-alpine
...
RUN apk add --no-cache python3 make g++ git
```
`better-sqlite3` and the rest of nanodrop's deps support node 24.x (same versions authd already uses).
**Acceptance:**
- Deploy workflow reaches `success`. `npm ci` completes without `ENOENT spawn git` and without EBADPLATFORM.
- `docker run --rm <image> sh -c 'which git && node --version'` returns a path and `v24.*`.
Source: user reported via spawn-host (2026-05-12). Originally filed as a combined item; split on 2026-05-12. Companion items: authd (above) and buchinese (below).
-->
brendan
added the bug label
brendan
closed this issue
brendan
referenced this issue
automatic OS-driven dark mode on every web frontend (authd, buchinese, dashcam #17
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?