elfensky · elfensky · Jun 10, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## Unreleased
 
+## 0.47.10
+
+### Fixes
+
+- **Fix the `EACCES: permission denied, mkdir '/app/.next/cache'` flood in the production container by chowning the runtime image by numeric uid instead of the unresolvable name `nonroot`.** Root cause: the Chainguard runtime (`cgr.dev/chainguard/node:latest`) has **no `nonroot` entry in `/etc/passwd`** — uid 65532 is named `node` — so the runner-stage `COPY --from=builder --chown=nonroot:nonroot …` lines silently fell back to root (`0:0`). That left `/app/.next` root-owned (mode 755), and since the container runs as uid 65532, the Next.js image optimizer's first remote-avatar optimization (`mkdir('.next/cache/images', { recursive: true })`, triggered by Discord/GitHub/Google/Gravatar avatars) failed with `EACCES` and rejected on every subsequent cacheable image request. `Dockerfile.app` now uses `--chown=65532:65532` (numeric IDs need no passwd lookup) on all three runner COPY lines, so the runtime user owns the standalone tree and creates `.next/cache` on demand. Verified by reproducing the production state (`/app/.next` `uid=0`, `mkdir FAILED:EACCES`) and confirming the numeric-chown image yields `uid=65532` and a successful write. Hotfix off `main`; the same fix is already on `develop` as 0.52.1.
+
 ## 0.47.9
 
 ### Documentation

diff --git a/Dockerfile.app b/Dockerfile.app
@@ -103,9 +103,18 @@ ARG NEXT_PUBLIC_DEPLOY_ENV
 ENV NEXT_PUBLIC_DEPLOY_ENV=$NEXT_PUBLIC_DEPLOY_ENV
 # Automatically leverage output traces to reduce image size
 # https://nextjs.org/docs/advanced-features/output-file-tracing
-COPY --from=builder --chown=nonroot:nonroot /app/.next/standalone ./
-COPY --from=builder --chown=nonroot:nonroot /app/.next/static ./.next/static
-COPY --from=builder --chown=nonroot:nonroot /app/public ./public
+#
+# Chown by NUMERIC uid:gid, NOT the name `nonroot`. This Chainguard runtime
+# has no `nonroot` entry in /etc/passwd (uid 65532 is named `node`), so
+# `--chown=nonroot:nonroot` silently falls back to root (0:0). That left
+# /app/.next root-owned and made the Next.js image optimizer's runtime
+# `mkdir('.next/cache/images')` fail with EACCES, flooding logs with
+# unhandledRejection on every remote-avatar (Discord/GitHub/Google/Gravatar)
+# optimization. Numeric IDs need no passwd lookup, so 65532 (the runtime
+# user) owns the tree as intended and the cache dir is created on demand.
+COPY --from=builder --chown=65532:65532 /app/.next/standalone ./
+COPY --from=builder --chown=65532:65532 /app/.next/static ./.next/static
+COPY --from=builder --chown=65532:65532 /app/public ./public
 EXPOSE 3000
 ENV PORT=3000
 ENV HOSTNAME="0.0.0.0"

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "helldivers.bot",
-    "version": "0.47.9",
+    "version": "0.47.10",
     "private": true,
     "type": "module",
     "scripts": {