feat: Restrict docker compose port bindings to 127.0.0.1 (#875)

kingston · web-flow · commit c3a67191d9a4 · 2026-04-01T15:42:20.000+02:00
diff --git a/.changeset/restrict-docker-ports.md b/.changeset/restrict-docker-ports.md
@@ -0,0 +1,5 @@
+---
+'@baseplate-dev/core-generators': patch
+---
+
+Restrict docker compose port bindings to 127.0.0.1 to prevent exposing development services to the local network
diff --git a/examples/blog-with-auth/apps/admin/src/gql/graphql.ts b/examples/blog-with-auth/apps/admin/src/gql/graphql.ts
@@ -467,6 +467,7 @@ export type UpdateUserData = {
   email?: InputMaybe<Scalars['String']['input']>;
   emailVerified?: InputMaybe<Scalars['Boolean']['input']>;
   name?: InputMaybe<Scalars['String']['input']>;
+  phone?: InputMaybe<Scalars['String']['input']>;
 };
 
 /** Input type for updateUser mutation */
diff --git a/examples/blog-with-auth/apps/backend/schema.graphql b/examples/blog-with-auth/apps/backend/schema.graphql
@@ -304,6 +304,7 @@ input UpdateUserData {
   email: String
   emailVerified: Boolean
   name: String
+  phone: String
 }
 
 """Input type for updateUser mutation"""
diff --git a/examples/blog-with-auth/baseplate/generated/docker/docker-compose.yml b/examples/blog-with-auth/baseplate/generated/docker/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-blog-with-auth}
       POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=en_US.utf8'
     ports:
-      - '${POSTGRES_PORT:-5432}:5432'
+      - '127.0.0.1:${POSTGRES_PORT:-5432}:5432'
     volumes:
       - db-data:/var/lib/postgresql
     networks:
diff --git a/examples/blog-with-auth/docker/docker-compose.yml b/examples/blog-with-auth/docker/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-blog-with-auth}
       POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=en_US.utf8'
     ports:
-      - '${POSTGRES_PORT:-5432}:5432'
+      - '127.0.0.1:${POSTGRES_PORT:-5432}:5432'
     volumes:
       - db-data:/var/lib/postgresql
     networks:
diff --git a/examples/todo-with-better-auth/baseplate/generated/docker/docker-compose.yml b/examples/todo-with-better-auth/baseplate/generated/docker/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-todo-with-better-auth}
       POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=en_US.utf8'
     ports:
-      - '${POSTGRES_PORT:-6432}:5432'
+      - '127.0.0.1:${POSTGRES_PORT:-6432}:5432'
     volumes:
       - db-data:/var/lib/postgresql
     networks:
@@ -37,7 +37,7 @@ services:
     security_opt:
       - no-new-privileges:true
     ports:
-      - '${REDIS_PORT:-6379}:6379'
+      - '127.0.0.1:${REDIS_PORT:-6379}:6379'
     command: redis-server --save 20 1 --loglevel warning --requirepass ${REDIS_PASSWORD:-todo-with-better-auth-password} --maxmemory 256mb --maxmemory-policy noeviction
     volumes:
       - redis-cache:/data
diff --git a/examples/todo-with-better-auth/docker/docker-compose.yml b/examples/todo-with-better-auth/docker/docker-compose.yml
@@ -10,7 +10,7 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-todo-with-better-auth}
       POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=en_US.utf8'
     ports:
-      - '${POSTGRES_PORT:-6432}:5432'
+      - '127.0.0.1:${POSTGRES_PORT:-6432}:5432'
     volumes:
       - db-data:/var/lib/postgresql
     networks:
@@ -37,7 +37,7 @@ services:
     security_opt:
       - no-new-privileges:true
     ports:
-      - '${REDIS_PORT:-6379}:6379'
+      - '127.0.0.1:${REDIS_PORT:-6379}:6379'
     command: redis-server --save 20 1 --loglevel warning --requirepass ${REDIS_PASSWORD:-todo-with-better-auth-password} --maxmemory 256mb --maxmemory-policy noeviction
     volumes:
       - redis-cache:/data
diff --git a/packages/core-generators/src/generators/docker/docker-compose/postgres.ts b/packages/core-generators/src/generators/docker/docker-compose/postgres.ts
@@ -23,7 +23,7 @@ export function generatePostgresDockerCompose(
       POSTGRES_DB: \${POSTGRES_DB:-${config.database}}
       POSTGRES_INITDB_ARGS: '--encoding=UTF8 --locale=en_US.utf8'
     ports:
-      - "\${POSTGRES_PORT:-${config.port}}:5432"
+      - "127.0.0.1:\${POSTGRES_PORT:-${config.port}}:5432"
     volumes:
       - db-data:/var/lib/postgresql
     networks:
diff --git a/packages/core-generators/src/generators/docker/docker-compose/redis.ts b/packages/core-generators/src/generators/docker/docker-compose/redis.ts
@@ -18,7 +18,7 @@ export function generateRedisDockerCompose(
     security_opt:
       - no-new-privileges:true
     ports:
-      - "\${REDIS_PORT:-${config.port}}:6379"
+      - "127.0.0.1:\${REDIS_PORT:-${config.port}}:6379"
     command: redis-server --save 20 1 --loglevel warning --requirepass \${REDIS_PASSWORD:-${config.password}} --maxmemory 256mb --maxmemory-policy noeviction
     volumes:
       - redis-cache:/data

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@baseplate-dev/core-generators': patch
 +---
++
 +Restrict docker compose port bindings to 127.0.0.1 to prevent exposing development services to the local network
Original file line number	Diff line number	Diff line change
`@@ -304,6 +304,7 @@ input UpdateUserData {`
`304`	`304`	`email: String`
`305`	`305`	`emailVerified: Boolean`
`306`	`306`	`name: String`
	`307`	`+ phone: String`
`307`	`308`	`}`
`308`	`309`
`309`	`310`	`"""Input type for updateUser mutation"""`