d77a4769c6
## Root Cause Analysis - Found CRITICAL RCE vulnerability in Next.js 15.0.3 (GHSA-9qr9-h5gf-34mp) - 10 vulnerabilities total including SSRF, DoS, Auth Bypass - Attack vector: exposed port 3000 + vulnerable Next.js → remote code execution ## Security Fixes - Upgraded Next.js: 15.0.3 → 15.5.9 (0 vulnerabilities) - Upgraded eslint-config-next: 15.0.3 → 15.5.9 ## Hardening (New Files) - apps/web/Dockerfile.secure: Multi-stage build, read-only FS, no shell - docker-compose.web.secure.yml: Resource limits, cap_drop ALL, localhost bind - scripts/rebuild-daarion-web-secure.sh: Local secure rebuild with Trivy scan - scripts/deploy-daarion-web-node1.sh: Production deployment to NODE1 - SECURITY-REBUILD-REPORT.md: Full incident analysis and remediation report ## Key Security Measures - restart: "no" (until verified) - ports: 127.0.0.1:3000 (localhost only, use Nginx reverse proxy) - read_only: true - cap_drop: ALL - resources.limits: 1 CPU, 512M RAM - no-new-privileges: true ## Related Incidents - Incident #1 (Jan 8): catcal, G4NQXBp miners - Incident #2 (Jan 9): softirq, vrarhpb miners - Hetzner AbuseID: 10F3971:2A Co-authored-by: Cursor Agent <agent@cursor.sh>
33 lines
757 B
JSON
33 lines
757 B
JSON
{
|
|
"name": "daarion-web",
|
|
"version": "1.0.0",
|
|
"private": true,
|
|
"scripts": {
|
|
"dev": "next dev -p 3000",
|
|
"build": "next build",
|
|
"start": "next start -p 3000",
|
|
"lint": "next lint"
|
|
},
|
|
"dependencies": {
|
|
"class-variance-authority": "^0.7.1",
|
|
"clsx": "^2.1.1",
|
|
"lucide-react": "^0.460.0",
|
|
"next": "^15.5.9",
|
|
"react": "^18.3.1",
|
|
"react-dom": "^18.3.1",
|
|
"swr": "^2.3.6",
|
|
"tailwind-merge": "^2.5.4"
|
|
},
|
|
"devDependencies": {
|
|
"@types/node": "^22.10.1",
|
|
"@types/react": "^18.3.12",
|
|
"@types/react-dom": "^18.3.1",
|
|
"autoprefixer": "^10.4.20",
|
|
"eslint": "^9.15.0",
|
|
"eslint-config-next": "^15.5.9",
|
|
"postcss": "^8.4.49",
|
|
"tailwindcss": "^3.4.15",
|
|
"typescript": "^5.7.2"
|
|
}
|
|
}
|