update

.github/workflows/bearer.yml

@@ -0,0 +1,36 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  schedule:
+    - cron: '0 0 * * 0'  # Run weekly on Sunday
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Bearer Security Scan
+        uses: bearer/bearer-action@v2
+        with:
+          scanner: sast
+          format: sarif
+          output: bearer.sarif
+          severity: critical,high
+          path: .
+          exit-code: 0
+          
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: bearer.sarif

.github/workflows/build.yml

@@ -149,9 +149,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
-            ghcr.io/liamcottle/reticulum-meshchat:latest
+            ghcr.io/sudo-ivan/reticulum-meshchat:latest
-            ghcr.io/liamcottle/reticulum-meshchat:${{ github.ref_name }}
+            ghcr.io/sudo-ivan/reticulum-meshchat:${{ github.ref_name }}
           labels: |
             org.opencontainers.image.title=Reticulum MeshChat
             org.opencontainers.image.description=Docker image for Reticulum MeshChat
-            org.opencontainers.image.url=https://github.com/liamcottle/reticulum-meshchat/pkgs/container/reticulum-meshchat/
+            org.opencontainers.image.url=https://github.com/Sudo-Ivan/reticulum-meshchat/pkgs/container/reticulum-meshchat/

.github/workflows/manual-docker-build.yml

@@ -33,10 +33,10 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |
-            ghcr.io/liamcottle/reticulum-meshchat:latest
+            ghcr.io/sudo-ivan/reticulum-meshchat:latest
-            ghcr.io/liamcottle/reticulum-meshchat:${{ github.ref_name }}
+            ghcr.io/sudo-ivan/reticulum-meshchat:${{ github.ref_name }}
           labels: |
             org.opencontainers.image.title=Reticulum MeshChat
             org.opencontainers.image.description=Docker image for Reticulum MeshChat
-            org.opencontainers.image.url=https://github.com/liamcottle/reticulum-meshchat/pkgs/container/reticulum-meshchat/
+            org.opencontainers.image.url=https://github.com/Sudo-Ivan/reticulum-meshchat/pkgs/container/reticulum-meshchat/
 

.gitignore

@@ -9,3 +9,7 @@ node_modules
 
 # local storage
 storage/
+
+__pycache__/
+
+config/

Dockerfile

@@ -1,33 +1,51 @@
 # Build the frontend
-FROM node:20-bookworm-slim AS build-frontend
+FROM node:20-alpine AS build-frontend
 
 WORKDIR /src
 
 # Copy required source files
-COPY *.json .
+COPY --chown=node:node *.json .
-COPY *.js .
+COPY --chown=node:node *.js .
-COPY src/frontend ./src/frontend
+COPY --chown=node:node src/frontend ./src/frontend
 
-# Install NodeJS deps, exluding electron
+# Fix permissions and install NodeJS deps
+USER root
+RUN chown -R node:node /src
+USER node
 RUN npm install --omit=dev && \
   npm run build-frontend
 
 # Main app build
-FROM python:3.11-bookworm
+FROM python:3.13-alpine
 
 WORKDIR /app
 
-# Install Python deps
+# Install system dependencies
-COPY ./requirements.txt .
+RUN apk add --no-cache \
-RUN pip install -r requirements.txt
+    gcc \
+    musl-dev \
+    python3-dev \
+    libffi-dev \
+    openssl-dev
 
-# Copy prebuilt frontend
+# Create config directories with proper permissions
-COPY --from=build-frontend /src/public public
+RUN mkdir -p /config/.reticulum /config/.meshchat && \
+    chown -R 1000:1000 /config
+
+# Install Python deps
+COPY --chown=1000:1000 ./requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Create public directory and copy frontend
+RUN mkdir -p /app/public
+COPY --from=build-frontend --chown=1000:1000 /src/public/ /app/public/
 
 # Copy other required source files
-COPY *.py .
+COPY --chown=1000:1000 *.py .
-COPY src/__init__.py ./src/__init__.py
+COPY --chown=1000:1000 src/__init__.py ./src/__init__.py
-COPY src/backend ./src/backend
+COPY --chown=1000:1000 src/backend ./src/backend
-COPY *.json .
+COPY --chown=1000:1000 *.json .
 
-CMD ["python", "meshchat.py", "--host=0.0.0.0", "--reticulum-config-dir=/config/.reticulum", "--storage-dir=/config/.meshchat", "--headless"]
+USER 1000
+ENTRYPOINT ["python"]
+CMD ["meshchat.py", "--host=0.0.0.0", "--reticulum-config-dir=/config/.reticulum", "--storage-dir=/config/.meshchat", "--headless"]

README.md

@@ -1,3 +1,21 @@
+# Ivans Fork Edition
+
+## Containers
+
+- Drop unnecassary permissions (compose)
+- Rootless (user 1000:1000)
+- Resource Limits (compose)
+- Alpine Image Variants
+- Updated Dependencies
+- Dockerfile use python 3.13
+
+## Security
+
+- Bearer Security Scan Action
+- [Socket](https://socket.dev/) Supply Chain Security/Analysis
+
+---
+
 <p align="center">
 <a href="https://github.com/liamcottle/reticulum-meshchat"><img src="./logo/logo-chat-bubble.png" width="150"></a>
 </p>

docker-compose.dev.yml

@@ -0,0 +1,40 @@
+services:
+  reticulum-meshchat:
+    container_name: reticulum-meshchat-dev
+    build:
+      context: .
+      dockerfile: Dockerfile
+    pull_policy: never
+    restart: unless-stopped
+    user: "1000:1000"
+    # Make the meshchat web interface accessible from the host on port 8000
+    ports:
+      - 0.0.0.0:8000:8000
+    volumes:
+      - meshchat-config:/config:rw
+      - .:/app:delegated
+      - /app/public
+    # Uncomment if you have a USB device connected, such as an RNode
+    # devices:
+    #   - /dev/ttyUSB0:/dev/ttyUSB0
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+        reservations:
+          cpus: '0.25'
+          memory: 128M
+
+volumes:
+    meshchat-config:
+      driver: local
+      driver_opts:
+        type: none
+        o: bind
+        device: ${PWD}/config 

docker-compose.yml

@@ -1,17 +1,31 @@
 services:
   reticulum-meshchat:
     container_name: reticulum-meshchat
-    image: ghcr.io/liamcottle/reticulum-meshchat:latest
+    image: ghcr.io/sudo-ivan/reticulum-meshchat:latest
     pull_policy: always
     restart: unless-stopped
+    user: "1000:1000"
     # Make the meshchat web interface accessible from the host on port 8000
     ports:
       - 0.0.0.0:8000:8000
     volumes:
-      - meshchat-config:/config
+      - meshchat-config:/config:rw
     # Uncomment if you have a USB device connected, such as an RNode
     # devices:
     #   - /dev/ttyUSB0:/dev/ttyUSB0
+    cap_drop:
+      - ALL
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    deploy:
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+        reservations:
+          cpus: '0.25'
+          memory: 128M
 
 volumes:
     meshchat-config:

electron/main.js

@@ -99,7 +99,9 @@ function getDefaultReticulumConfigDir() {
 app.whenReady().then(async () => {
 
     // get arguments passed to application, and remove the provided application path
-    const userProvidedArguments = process.argv.slice(1);
+    const ignoredArguments = ["--no-sandbox"];
+    const userProvidedArguments = process.argv.slice(1)
+        .filter(arg => !ignoredArguments.includes(arg));
     const shouldLaunchHeadless = userProvidedArguments.includes("--headless");
 
     if(!shouldLaunchHeadless){

package.json

@@ -1,6 +1,6 @@
 {
   "name": "reticulum-meshchat",
-  "version": "1.21.0",
+  "version": "1.22.2",
   "description": "",
   "main": "electron/main.js",
   "scripts": {
@@ -96,9 +96,9 @@
   "dependencies": {
     "@mdi/js": "^7.4.47",
     "@tailwindcss/forms": "^0.5.9",
-    "@vitejs/plugin-vue": "^5.2.1",
+    "@vitejs/plugin-vue": "^5.2.4",
     "autoprefixer": "^10.4.20",
-    "axios": "^1.7.9",
+    "axios": "^1.9.0",
     "click-outside-vue3": "^4.0.1",
     "compressorjs": "^1.2.1",
     "electron-prompt": "^1.7.0",
@@ -106,13 +106,13 @@
     "mitt": "^3.0.1",
     "moment": "^2.30.1",
     "postcss": "^8.4.49",
-    "protobufjs": "^7.4.0",
+    "protobufjs": "^7.5.1",
     "tailwindcss": "^3.4.17",
     "vis-data": "^7.1.9",
     "vis-network": "^9.1.9",
-    "vite": "^6.0.5",
+    "vite": "^6.3.5",
     "vite-plugin-vuetify": "^2.0.4",
-    "vue-router": "^4.5.0",
+    "vue-router": "^4.5.1",
-    "vuetify": "^3.7.6"
+    "vuetify": "^3.8.4"
   }
 }

requirements.txt

@@ -1,6 +1,6 @@
-aiohttp>=3.9.5
+aiohttp>=3.11.18
 cx_freeze>=7.0.0
 lxmf>=0.6.3
-peewee>=3.17.3
+peewee>=3.18.1
-rns>=0.9.3
+rns>=0.9.5
-websockets>=14.2
+websockets>=15.0.1