🐛 fix(compose): allow compose files mounted outside app directory#129
Merged
s-b-e-n-s-o-n merged 10 commits intomainfrom Mar 9, 2026
Merged
🐛 fix(compose): allow compose files mounted outside app directory#129s-b-e-n-s-o-n merged 10 commits intomainfrom
s-b-e-n-s-o-n merged 10 commits intomainfrom
Conversation
Remove overly strict working-directory boundary enforcement from runComposeCommand that rejected compose files bind-mounted outside /home/node/app. This bug existed since rc.3 — the boundary check always converted absolute paths to relative via path.relative() then rejected anything outside process.cwd(). Compose file paths are operator-configured (Docker labels or env vars) and already validated during resolution, so path traversal protection here is unnecessary. Fixes force-update failures for setups with compose files at paths like /drydock/docker-compose.yml (documented mount pattern).
s-b-e-n-s-o-n
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Use Fumadocs Banner component to display pre-release warning across all docs pages, matching the existing homepage RC banner. Prevents users from following v1.4 quickstart instructions (argon2id hash) when running v1.3.9 (SHA hash only).
- Change banner from amber to red for stronger pre-release warning - Add "this version is not yet released" text to banner - Change sidebar version picker from "v1.4 (Latest)" to "v1.4 (RC)"
…ffinity filtering - Self-inspect Drydock's bind mounts to build host→container path mapping - Remap Docker label paths (com.docker.compose.project.config_files) from host-side to container-internal using longest-prefix bind mount matching - Skip containers whose compose files don't match the trigger's configured FILE path, eliminating cross-stack "does not exist" warnings - Add regression tests for host path remapping and affinity filtering
… test - Prevent cross-project false positives in getServiceKey() — containers with com.docker.compose.service label that doesn't match any service in the compose file now return undefined instead of falling through to image-name matching - Skip image-name matching entirely for containers with Docker Compose identity labels (project, config_files, working_dir) - Add regression test verifying YAML AST mutation only updates service image fields, not matching strings in comments or env vars
Snyk has a 200 scan/month limit. Only run snyk-deps and snyk-code on main and release/* branch pushes to conserve quota.
Rename "v1.3.9 stable" to "v1.3.9 release notes →" so users know the link goes to GitHub release notes, not stable docs.
…tion
- Add promise deduplication to ensureHostToContainerBindMountsLoaded to prevent redundant Docker API calls during concurrent batch processing
- Validate HOSTNAME against Docker container ID/name pattern instead of only rejecting slashes
- Use split(':', 2) in parseHostToContainerBindMount to correctly handle :rw/:ro mount options
- Replace direct _hostToContainerBindMounts field access with protected accessor methods
- Extract resolveAndGroupContainersByComposeFile from triggerBatch to reduce complexity
- Add resetHostToContainerBindMountCache to beforeEach for test isolation
- Add 8 new tests: getSelfContainerIdentifier edge cases, promise deduplication, mount options
biggest-littlest
approved these changes
Mar 9, 2026
ALARGECOMPANY
approved these changes
Mar 9, 2026
This was referenced Mar 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
runComposeCommandthat rejected compose files bind-mounted outside/home/node/apppath.relative()then rejected anything outsideprocess.cwd()/drydock/docker-compose.yml(documented mount pattern)Test plan
runComposeCommandaccepts compose files outside working directoryReported by @flederohr in #120
🤖 Generated with Claude Code