From 635c2803ceb46f6850039003a55a354ef6b0aa4c Mon Sep 17 00:00:00 2001
From: schmidt1024 <akjs@tuta.io>
Date: Mon, 30 Mar 2026 16:36:37 +0200
Subject: [PATCH] Fix critical CVEs by using official Caddy image instead of
 Alpine package

Copy Caddy binary from caddy:2-alpine multi-stage build to avoid
stale smallstep/certificates (CVE CVSS 10) and grpc vulnerabilities
shipped with the Alpine caddy package.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index e433b9f..58c8921 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,12 @@
+FROM caddy:2-alpine AS caddy
+
 FROM php:8.3-fpm-alpine AS base
 
+# Copy Caddy binary from official image (avoids stale Alpine package)
+COPY --from=caddy /usr/bin/caddy /usr/sbin/caddy
+
 # Install PHP curl extension (needed for API proxies)
-RUN apk add --no-cache caddy curl-dev \
+RUN apk add --no-cache curl-dev \
     && docker-php-ext-install curl \
     && rm -rf /var/cache/apk/*