Switch to alpine chromium image

Dockerfile

@@ -1,50 +1,48 @@
-FROM node:20.12.2-slim
+FROM node:20-alpine AS build
 
 ENV NODE_ENV=production
-ENV CHROME_PATH=/usr/bin/google-chrome-stable
-ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/google-chrome-stable
-
-# Install Chrome and dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates wget gnupg \
-    && wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
-    | gpg --dearmor -o /usr/share/keyrings/google-linux-signing-keyring.gpg \
-    && echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-linux-signing-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
-    > /etc/apt/sources.list.d/google-chrome.list \
-    && echo "deb http://deb.debian.org/debian trixie main" \
-    > /etc/apt/sources.list.d/debian-trixie.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends -t trixie \
-    zlib1g libexpat1 liblzma5 libpcre2-8-0 libsqlite3-0 libxml2 xserver-common xvfb fonts-liberation \
-    && apt-get install -y --no-install-recommends google-chrome-stable \
-    && apt-mark manual google-chrome-stable \
-    && rm /etc/apt/sources.list.d/debian-trixie.list \
-    && rm -rf /var/lib/apt/lists/*
 
+RUN apk add --no-cache python3 make g++
 RUN corepack enable
 
-# Create a non-root user for running the app
-RUN useradd --create-home --home-dir /app --shell /bin/sh appuser
-
-# Set working directory
 WORKDIR /app
 
-# Entrypoint script
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
-
-# Copy and install dependencies
-COPY --chown=appuser:appuser package.json pnpm-lock.yaml ./
-USER appuser
-RUN corepack prepare pnpm@9.0.0 --activate \
+COPY package.json pnpm-lock.yaml ./
+RUN corepack prepare pnpm@10.28.0 --activate \
     && pnpm install --frozen-lockfile --prod \
     && pnpm store prune
 
-# Copy app code
-COPY --chown=appuser:appuser . .
+COPY . .
+
+FROM node:20-alpine
+
+ENV NODE_ENV=production
+ENV CHROME_PATH=/usr/bin/chromium-browser
+ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
+
+RUN apk add --no-cache chromium nss freetype harfbuzz ttf-freefont
+
+# Remove npm/corepack to shrink attack surface and avoid bundled CVEs.
+RUN rm -rf /usr/local/lib/node_modules/npm \
+    /usr/local/bin/npm \
+    /usr/local/bin/npx \
+    /usr/local/lib/node_modules/corepack \
+    /usr/local/bin/corepack
+
+WORKDIR /app
+
+COPY --from=build /app/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
+
+COPY --from=build --chown=node:node /app/package.json /app/package.json
+COPY --from=build --chown=node:node /app/index.js /app/index.js
+COPY --from=build --chown=node:node /app/endpoints /app/endpoints
+COPY --from=build --chown=node:node /app/node_modules /app/node_modules
+
+RUN mkdir -p /app/cache && chown -R node:node /app
+
+USER node
 
-# Expose port (match your app's port)
 EXPOSE 10000
 
-# Start Xvfb and run the bot
 CMD ["/usr/local/bin/docker-entrypoint.sh"]

docker-entrypoint.sh

@@ -7,31 +7,31 @@ resolve_chrome_path() {
   fi
 
   for candidate in \
+    /usr/bin/chromium-browser \
+    /usr/bin/chromium \
     /usr/bin/google-chrome-stable \
     /usr/bin/google-chrome \
-    /opt/google/chrome/google-chrome \
-    /usr/bin/chromium \
-    /usr/bin/chromium-browser; do
+    /opt/google/chrome/google-chrome; do
     if [ -x "$candidate" ]; then
       CHROME_PATH="$candidate"
       return 0
     fi
   done
 
-  if command -v google-chrome-stable >/dev/null 2>&1; then
-    CHROME_PATH="$(command -v google-chrome-stable)"
-    return 0
-  fi
-  if command -v google-chrome >/dev/null 2>&1; then
-    CHROME_PATH="$(command -v google-chrome)"
+  if command -v chromium-browser >/dev/null 2>&1; then
+    CHROME_PATH="$(command -v chromium-browser)"
     return 0
   fi
   if command -v chromium >/dev/null 2>&1; then
     CHROME_PATH="$(command -v chromium)"
     return 0
   fi
-  if command -v chromium-browser >/dev/null 2>&1; then
-    CHROME_PATH="$(command -v chromium-browser)"
+  if command -v google-chrome-stable >/dev/null 2>&1; then
+    CHROME_PATH="$(command -v google-chrome-stable)"
+    return 0
+  fi
+  if command -v google-chrome >/dev/null 2>&1; then
+    CHROME_PATH="$(command -v google-chrome)"
     return 0
   fi
 
@@ -43,34 +43,4 @@ resolve_chrome_path
 export CHROME_PATH
 export PUPPETEER_EXECUTABLE_PATH="${PUPPETEER_EXECUTABLE_PATH:-$CHROME_PATH}"
 
-rm -f /tmp/.X99-lock
-Xvfb :99 -screen 0 1024x768x24 &
-xvfb_pid=$!
-
-export DISPLAY=:99
-
-npm start &
-app_pid=$!
-
-term_handler() {
-  kill "$app_pid" 2>/dev/null || true
-  kill "$xvfb_pid" 2>/dev/null || true
-}
-
-trap term_handler INT TERM
-
-while kill -0 "$app_pid" 2>/dev/null; do
-  if ! kill -0 "$xvfb_pid" 2>/dev/null; then
-    echo "Xvfb exited; stopping app." >&2
-    kill "$app_pid" 2>/dev/null || true
-    wait "$app_pid" 2>/dev/null || true
-    exit 1
-  fi
-  sleep 1
-done
-
-wait "$app_pid"
-app_status=$?
-kill "$xvfb_pid" 2>/dev/null || true
-wait "$xvfb_pid" 2>/dev/null || true
-exit "$app_status"
+exec node index.js

index.js

@@ -59,10 +59,10 @@ if (process.env.NODE_ENV !== 'development') {
 
 async function createBrowser(proxyServer = null) {
   const connectOptions = {
-    headless: false,
+    headless: "new",
     turnstile: true,
     connectOption: { defaultViewport: null },
-    disableXvfb: false,
+    disableXvfb: true,
   }
   
   if (proxyServer) {