chore(api): add db package copying to buildspec for docker build

[Itsnotaka]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
app	Skipped			Nov 19, 2025 6:11pm
portal	Skipped			Nov 19, 2025 6:11pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

OSV scan: 2 high vulnerabilities in xlsx@0.18.5 (Prototype Pollution, ReDoS) and 1 low in ai@5.0.0 (filetype whitelist bypass).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 apps/api/buildspec.yml (HIGH Risk)

#	Issue	Risk Level
1	Piping remote install script (curl	bash) — supply-chain risk
2	Docker build context includes full files, may bake secrets into image	HIGH
3	Copying node_modules and .prisma into build may include sensitive binaries	HIGH
4	Build cache (BUILDKIT_INLINE_CACHE) can embed secrets in image layers	HIGH
5	Logging directory listings may leak filenames into build logs	HIGH
6	Cached node_modules in CodeBuild cache may leak across builds	HIGH
7	Using 'latest' tag fallback can overwrite images and cause deployment confusion	HIGH
8	imagedefinitions.json from env vars may produce malformed JSON or injection	HIGH

Recommendations:

1. Stop piping remote install scripts directly into a shell. Download the installer, verify its checksum or GPG signature, inspect the contents, and then run it (or better: install from a packaged distro or pinned binary). Replace: curl -fsSL https://bun.sh/install | bash
2. Minimize the Docker build context. Use a constructed docker-build directory (as you already do) plus a strict .dockerignore in the Docker build context. Ensure only required artifacts are present in ../docker-build before docker build.
3. Avoid copying whole node_modules trees or .prisma folders into the build context. Instead bundle only the production runtime artifacts (compiled dist, production deps). If native binaries are required, copy only the specific packages. Scan artifacts for secrets and remove telemetry/credentials before adding to context.
4. Do not rely on BUILDKIT_INLINE_CACHE to store secrets. Use Docker BuildKit secrets (docker build --secret) or build-time secret mechanisms so secrets are not recorded in image layers. Ensure no build-time env vars containing secrets are used in RUN/COPY that would persist in layers.
5. Avoid printing directory listings and other filesystem contents in build logs. Remove or restrict ls -la, echo of potentially sensitive paths, and avoid printing env vars. If debugging is needed, direct output to an internal artifact rather than public logs.
6. Tighten CodeBuild caching: avoid caching global node_modules across unrelated builds, use project-scoped cache keys, or use ephemeral caches per branch/build. Exclude sensitive paths from cache entries.
7. Avoid defaulting to 'latest' as a fallback tag. Require an explicit, immutable image tag (commit SHA) for deployments. If fallback is required, use a clearly separate 'fallback' tag and prevent overwriting 'latest' unintentionally.
8. Generate imagedefinitions.json in a JSON-safe way. Sanitize and validate $ECR_REPOSITORY_URI and $IMAGE_TAG (reject/control characters, quotes, newlines). Use a small script that builds JSON with proper escaping (e.g., jq or a short Node/Python script) instead of printf with raw env substitution.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade xlsx (currently 0.18.5) to a release that fixes GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9; update package.json and lockfile and run your test suite.
2. Upgrade ai from 5.0.0 to 5.0.52 or later (GHSA-rwvc-j5jr-mgvh fixedIn: 5.0.52).
3. Audit code that consumes/parses files via xlsx: do not merge parsed objects into prototypes or application templates, validate and normalize incoming file structures, and add limits on input size/regex processing to reduce ReDoS and prototype-pollution impact.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 19, 2025

[claudfuen]

🎉 This PR is included in version 1.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀