7066c895f6
* chore: harden npm supply chain — pin overrides, enforce npm ci, add ignore-scripts Replace open-ended >= version overrides with exact pins matching lockfile versions across all 6 package.json files. Remove dead overrides for packages not present in lockfiles. Switch CI and devcontainer from npm install to npm ci for deterministic lockfile-based installs. Add .npmrc to all 7 JS project directories with ignore-scripts=true (blocks postinstall RAT vectors like the axios@1.14.1 supply chain attack) and min-release-age=3d (refuses packages published <3 days ago, requires npm >=11.10). Remove Yarn-only resolutions field from docs/my-website. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: bump sharp to 0.33.5 in docs, add docs .npmrc sharp 0.32.x uses postinstall to download native binaries, which breaks with ignore-scripts=true. sharp 0.33+ distributes via optionalDependencies instead, making it compatible with the new .npmrc hardening. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove docs .npmrc to fix Vercel deploy Vercel's build for docs/my-website uses npm install which needs sharp 0.32.6's postinstall script. Since we don't control Vercel's build process, remove the .npmrc from docs rather than fight it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: Dockerfile npm ci + nvm checksum verification - Replace npm install with npm ci in Dockerfile.non_root, Dockerfile.custom_ui, and spend-logs/Dockerfile for deterministic lockfile-based installs - Replace curl-pipe-bash nvm install with download-then-verify pattern in build_admin_ui.sh, build_ui.sh, and build_ui_custom_path.sh - Update nvm from v0.38.0 (2021) to v0.40.4 (Jan 2026) with SHA256 checksum verification before execution Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: macOS sha256sum compat + clarify min-release-age scope - Use shasum -a 256 fallback on macOS where sha256sum is unavailable - Clarify in .npmrc comments that min-release-age only protects local npm install, not npm ci (used in CI) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
27 lines
602 B
Docker
27 lines
602 B
Docker
# Use the specific Node.js v20.11.0 image
|
|
FROM node:20.18.1-alpine3.20
|
|
|
|
# Set the working directory inside the container
|
|
WORKDIR /app
|
|
|
|
# Copy package.json and package-lock.json to the working directory
|
|
COPY ./litellm-js/spend-logs/package*.json ./
|
|
|
|
# Install dependencies
|
|
RUN npm ci
|
|
|
|
# Install Prisma globally
|
|
RUN npm install -g prisma
|
|
|
|
# Copy the rest of the application code
|
|
COPY ./litellm-js/spend-logs .
|
|
|
|
# Generate Prisma client
|
|
RUN npx prisma generate
|
|
|
|
# Expose the port that the Node.js server will run on
|
|
EXPOSE 3000
|
|
|
|
# Command to run the Node.js app with npm run dev
|
|
CMD ["npm", "run", "dev"]
|