nexus/ProxMenux
2
0
Fork 0
mirror of https://github.com/MacRimi/ProxMenux.git synced 2026-06-03 21:54:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rebuild AppImage with actual Next.js 15.1.9 + always reconcile node_modules

Browse Source 
The previous bump commit (2f24de25) shipped a binary that still carried
Next.js 15.1.6 in the bundled chunks even though AppImage/package.json
was at 15.1.9. Root cause: build_appimage.sh only ran `npm install`
when `node_modules` did not exist; on the .50 build host node_modules
had been cached since the 1.2.1 build cycle, so the bump was silently
ignored and the build re-used the stale tree.

Fix the script: always run `npm install --legacy-peer-deps` on every
build. npm reconciles against the lockfile in under a second when
everything is already in sync, so the change is free on a warm tree
and correct on a stale one.

Rebuild from a clean node_modules on .50, redeploy to all four hosts
(SHA 4602b8d4aa130c6f...), runtime grep confirms the bundle now
contains 15.1.9 with no traces of 15.1.6 left. Same architecture and
threat model as before — Flask serves the static export on :8008,
no Next.js runtime — but the version banner now matches the lockfile.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
MacRimi
2026-06-01 22:37:44 +02:00
parent 2f24de2592
commit d25faedc2b
3 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AppImage/scripts/build_appimage.sh
+13 -8
View File
@@ -69,14 +69,19 @@ if [ ! -f "package.json" ]; then
exit 1
fi
# Install dependencies if node_modules doesn't exist.
# `--legacy-peer-deps` is required because vaul@0.9.9 (and a few others) still
# declare peer-deps for React ≤18 while we're on React 19; npm 7+ refuses by
# default. The actual runtime works fine with React 19.
if [ ! -d "node_modules" ]; then
echo "📦 Installing dependencies..."
npm install --legacy-peer-deps
fi
# Always reconcile node_modules against the lockfile. The previous
# guard (`if [ ! -d "node_modules" ]`) skipped install when an older
# tree existed on disk — so a bump in package.json silently shipped
# with the cached version. We hit this when bumping Next.js
# 15.1.6 -> 15.1.9 for CVE-2025-55182: the build succeeded with the
# stale node_modules and the AppImage still carried 15.1.6. `npm install`
# is idempotent: when package.json + lockfile + node_modules already
# agree it returns in under a second. `--legacy-peer-deps` is required
# because vaul@0.9.9 (and a few others) still declare peer-deps for
# React ≤18 while we are on React 19; npm 7+ refuses by default.
# The actual runtime works fine with React 19.
echo "📦 Reconciling dependencies against the lockfile..."
npm install --legacy-peer-deps
echo "🏗️ Building Next.js static export..."
npm run export