From 378023c53d57cce75d4a05b69aa5f33965d40b62 Mon Sep 17 00:00:00 2001 From: Marcel Date: Tue, 19 May 2026 13:55:10 +0200 Subject: [PATCH] chore(infra): set BODY_SIZE_LIMIT=50M in frontend service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Makes the upload size cap explicit in both dev and prod compose files. After the @sveltejs/kit bump (GHSA-2crg-3p73-43xp), the default 512KB limit is now enforced — 50M covers multi-page Kurrent/Sütterlin PDFs (typically 500KB–15MB) without being reckless. Caddy's client_max_body_size must be set to match when the reverse proxy config is committed. Co-Authored-By: Claude Sonnet 4.6 --- docker-compose.prod.yml | 3 +++ docker-compose.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 31d85e42..53e3c1a6 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -276,6 +276,9 @@ services: # SSR fetches go inside the docker network; clients hit https://${APP_DOMAIN} API_INTERNAL_URL: http://backend:8080 ORIGIN: https://${APP_DOMAIN} + # Enforce upload size limit in the adapter-node layer (fixes GHSA-2crg-3p73-43xp bypass). + # Must be ≤ client_max_body_size in the Caddy reverse proxy to avoid 413 mismatches. + BODY_SIZE_LIMIT: 50M networks: - archiv-net healthcheck: diff --git a/docker-compose.yml b/docker-compose.yml index 842f94e1..7bc27dbe 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -228,6 +228,9 @@ services: API_INTERNAL_URL: http://backend:8080 # Vite dev proxy forwards /api from browser to the backend container API_PROXY_TARGET: http://backend:8080 + # Upload size limit for adapter-node (production target). Not enforced by Vite dev server + # but kept here to match docker-compose.prod.yml and prevent config drift. + BODY_SIZE_LIMIT: 50M ports: - "${PORT_FRONTEND}:5173" networks: