Dockerfile aktualisiert

Dockerfile

@@ -1,6 +1,9 @@
 # Stage 1: Build
 FROM node:22.12-alpine AS build
 
+# Install pnpm first (as root, since we need it globally)
+RUN npm install -g pnpm
+
 # Create non-root user
 RUN addgroup -g 1001 -S nodejs && \
     adduser -u 1001 -S modernmermaid -G nodejs
@@ -8,24 +11,25 @@ RUN addgroup -g 1001 -S nodejs && \
 # Set working directory
 WORKDIR /app
 
-# Install pnpm
-RUN npm install -g pnpm
+# Copy package files (as root, but will change ownership next)
+COPY package.json pnpm-lock.yaml ./
 
-# Copy lockfile and package.json first (for better layer caching)
-COPY --chown=modernmermaid:nodejs package.json pnpm-lock.yaml ./
+# Change ownership to non-root user *before* installing deps
+RUN chown -R modernmermaid:nodejs .
 
-# Install dependencies
-RUN pnpm install --frozen-lockfile
-
-# Copy source code
-COPY --chown=modernmermaid:nodejs . .
-
-# Switch to non-root user
+# Switch to non-root user for all subsequent steps
 USER modernmermaid
 
-# Build the app
+# Install dependencies (now as non-root)
+RUN pnpm install --frozen-lockfile
+
+# Copy source code (still as non-root)
+COPY --chown=modernmermaid:nodejs . .
+
+# Build the app (TypeScript writes to node_modules/.tmp — now allowed)
 RUN pnpm build
 
+
 # Stage 2: Production
 FROM node:22.12-alpine AS production
 
@@ -35,17 +39,14 @@ RUN addgroup -g 1001 -S nodejs && \
 
 WORKDIR /app
 
-# Install serve globally
+# Install serve
 RUN npm install -g serve
 
-# Copy built assets from build stage
+# Copy built files from build stage
 COPY --from=build --chown=modernmermaid:nodejs /app/dist ./dist
 
-# Switch to non-root user
 USER modernmermaid
 
-# Expose port
 EXPOSE 3000
 
-# Run serve in single-page mode
 CMD ["serve", "-s", "dist", "-l", "3000"]