Fix: use npm ci in Dockerfile to respect package-lock.json

- Changed npm install to npm ci --omit=dev
- Removed unnecessary mocha install (dev dependency)
- Added debug output to build-image and trivy-image steps

.woodpecker.yml

@@ -123,6 +123,9 @@ steps:
     commands:
       - echo "nameserver 1.1.1.1" > /etc/resolv.conf
       - echo "nameserver 1.0.0.1" >> /etc/resolv.conf
+      - echo "=== DEBUG: Verifying lockfile before build ==="
+      - grep -A3 '"node_modules/glob"' package-lock.json | head -5 || echo "glob not found"
+      - grep -E '10\.4\.5|6\.2\.1|7\.4\.3' package-lock.json || echo "No vulnerable versions in lockfile"
       - HOSTNAME=$(docker info --format "{{.Name}}")
       - echo "Building on $HOSTNAME"
       - echo "$${DOCKER_REGISTRY_PASSWORD}" | docker login -u "$${DOCKER_REGISTRY_USER}" --password-stdin
@@ -143,8 +146,10 @@ steps:
     commands:
       - echo "nameserver 1.1.1.1" > /etc/resolv.conf
       - echo "nameserver 1.0.0.1" >> /etc/resolv.conf
+      - echo "=== DEBUG: Inspecting image contents ==="
       - trivy --version | cat
-      - trivy image --timeout 10m --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed --exit-code 1 git.nixc.us/nixius/hastebin:latest
+      - echo "=== DEBUG: Running Trivy with full output ==="
+      - trivy image --debug --timeout 10m --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed --exit-code 1 git.nixc.us/nixius/hastebin:latest
     when:
       branch: main
       event: [push, cron]

Dockerfile

@@ -8,10 +8,9 @@ COPY . /app
 # Create data directory for file storage
 RUN mkdir -p /app/data
 
-# Install dependencies
+# Install dependencies using ci to respect package-lock.json exactly
 RUN npm cache clean --force && \
-    npm install --production --no-optional && \
-    npm install mocha && \
+    npm ci --omit=dev && \
     chmod +x app.sh
 
 # Build assets if needed