Bugfix(modeling-commons): fix sharp/IPX native binary in frontend image

omargfh · omargfh · commit c112ac413daa · 2026-06-15T16:17:03.000-05:00
Consolidates the IPX hardening work:
- Bypass IPX for SVG images.
- Use Debian useradd/groupadd in the frontend image.
- Pin sharp via root resolutions.
- Reinstall sharp in the runtime image as a flat tree: Nitro symlinks the
  native packages to @version-suffixed dirs, breaking the $ORIGIN-relative
  rpath the sharp binding uses to load libvips (ERR_DLOPEN_FAILED).
diff --git a/apps/modeling-commons-frontend/Dockerfile b/apps/modeling-commons-frontend/Dockerfile
@@ -23,9 +23,23 @@ ENV NUXT_PUBLIC_CDN_URL=${NUXT_PUBLIC_CDN_URL}
 ENV NUXT_PUBLIC_NETLOGO_WEB_URL=${NUXT_PUBLIC_NETLOGO_WEB_URL}
 ENV NUXT_PUBLIC_GA_TRACKING_ID=${NUXT_PUBLIC_GA_TRACKING_ID}
 
-RUN addgroup -g 1001 -S nodejs && adduser -S nuxt -u 1001 -G nodejs
+RUN groupadd -r -g 1001 nodejs && useradd -r -u 1001 -g nodejs -s /usr/sbin/nologin nuxt
 WORKDIR /app
 COPY .output .output
+
+# Nitro symlinks sharp's native packages to @version-suffixed dirs under
+# .output/.nitro, which breaks the $ORIGIN-relative rpath the sharp binding uses
+# to find libvips at load time (ERR_DLOPEN_FAILED: libvips-cpp.so). Reinstall
+# sharp (same traced version) as a flat tree so the rpath resolves.
+RUN SHARP_VERSION="$(node -p "require('./.output/server/node_modules/sharp/package.json').version")" \
+  && npm install --no-save --no-audit --no-fund \
+      --os=linux --cpu="$(node -p process.arch)" --libc=glibc \
+      --prefix /tmp/sharp "sharp@${SHARP_VERSION}" \
+  && rm -rf .output/server/node_modules/sharp .output/server/node_modules/@img \
+  && cp -R /tmp/sharp/node_modules/sharp .output/server/node_modules/sharp \
+  && cp -R /tmp/sharp/node_modules/@img .output/server/node_modules/@img \
+  && rm -rf /tmp/sharp
+
 USER nuxt
 EXPOSE 3005
 HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
diff --git a/apps/modeling-commons-frontend/app/pages/index.vue b/apps/modeling-commons-frontend/app/pages/index.vue
@@ -31,7 +31,7 @@
         </div>
 
         <NuxtLink to="https://www.netlogo.org/" target="_blank" rel="noopener noreferrer" class="mt-8 text-center lg:text-left text-md">
-            Powered by <NuxtImg :src="NetlogoLogo" class="inline-block h-6 w-auto -mt-0.5 -ml-1" />
+            Powered by <img :src="NetlogoLogo" alt="NetLogo" class="inline-block h-6 w-auto -mt-0.5 -ml-1" />
         </NuxtLink>
       </div>
       <MarqueeGallery class="lg:w-5xl" height="80dvh" column-gap="12px">
diff --git a/package.json b/package.json
@@ -91,6 +91,7 @@
     "node-forge": ">=1.3.2",
     "@internationalized/date": "3.12.1",
     "@tailwindcss/postcss": "^4.3.0",
-    "tailwind-merge": "^3.3.1"
+    "tailwind-merge": "^3.3.1",
+    "sharp": "0.34.5"
   }
 }
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@`
`91`	`91`	`"node-forge": ">=1.3.2",`
`92`	`92`	`"@internationalized/date": "3.12.1",`
`93`	`93`	`"@tailwindcss/postcss": "^4.3.0",`
`94`		`- "tailwind-merge": "^3.3.1"`
	`94`	`+ "tailwind-merge": "^3.3.1",`
	`95`	`+ "sharp": "0.34.5"`
`95`	`96`	`}`
`96`	`97`	`}`