The Dockerfile pins the version of ca-certificates, but not build-dependencies. It seems like this causes the build to break whenever build-dependencies is updated to require a new version of ca-certificates? This happened in April, May, and then now (July):
---> Running in db51307c63f2 fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz ERROR: unsatisfiable constraints: ca-certificates-20191127-r2: breaks: build-dependencies-20200730.162852[ca-certificates~20191127-r1] satisfies: world[ca-certificates] curl-7.67.0-r0[ca-certificates] nodejs-12.15.0-r1[ca-certificates] libcurl-7.67.0-r0[ca-certificates] ERROR: Service 'wdqs-frontend' failed to build: The command '/bin/sh -c apk --no-cache add --virtual build-dependencies ca-certificates~=20191127-r1 git~=2.24 nodejs~=12 npm~=12 jq~=1.6 python~=2.7 make~=4.2 g++~=9.2' returned a non-zero code: 7
If version pinning is there to make the builds reproducible, it seems like we need to pin build-dependencies too. On the other hand, since build-dependencies is currently not version pinned, perhaps version pinning could be removed for ca-certificates too? I wouldn't expect any of the other dependencies to break because of a new version of ca-certificates, but I should note that I'm not very familiar with the Alpine ecosystem.