This is the solution that worked for me and no more problem with csrf message.
ln -s /opt/nodebb/node_modules/socket.io-client/dist/socket.io.js /opt/nodebb/node_modules/socket.io-client/socket.io.js
But you will probably have the same problem in the next step
@mat-m is spot on, though my perspective is definitely production, not test. Running the leanest container possible has the added benefit of reducing the attack vectors as there is simply less surface for somebody to target. Alpine is specifically designed to be as lightweight as possible and as stripped down as possible.
Do we know who owns the image build process and can s/he weigh in on this?