Skip to content

fix(#21): upgrade frontend base image node:20-alpine → node:22-alpine#24

Merged
OmarEhab007 merged 2 commits into
mainfrom
fix/GH-21-node22-alpine
Apr 20, 2026
Merged

fix(#21): upgrade frontend base image node:20-alpine → node:22-alpine#24
OmarEhab007 merged 2 commits into
mainfrom
fix/GH-21-node22-alpine

Conversation

@OmarEhab007

@OmarEhab007 OmarEhab007 commented Apr 20, 2026

Copy link
Copy Markdown
Owner

Summary

  • Updates all three stages in `frontend/Dockerfile` from `node:20-alpine` to `node:22-alpine`
  • `node:22-alpine` ships npm ≥ 10.9 with updated bundled packages, fixing all 11 previously-suppressed CVEs (cross-spawn, glob, minimatch, node-tar)
  • Removes the entire "Frontend image: npm bundled packages" section from `.trivyignore` — 11 suppressions cleaned up
  • Only the ARLogAnalyzer.jar Java CVEs and CVE-2026-32282 (no upstream fix) remain in `.trivyignore`

Test plan

  • `docker build -t remedyiq/frontend:ci ./frontend` succeeds
  • Trivy scan passes on the frontend image without the removed suppressions
  • `build-scan` CI job green
  • Frontend app behaviour unchanged (Node.js 22 is LTS, backwards-compatible with 20)

Closes #21


Glossary

Term Definition
node:22-alpine Official Node.js 22 LTS Docker image based on Alpine Linux
Trivy Container image vulnerability scanner used in CI
.trivyignore File listing CVEs suppressed from Trivy scan with documented rationale
npm bundled packages npm ships its own copy of packages (cross-spawn, glob, etc.) inside `node_modules/npm/`; these are separate from the app's own dependencies

Summary by CodeRabbit

  • Chores
    • Updated Docker base image from Node.js 20 to Node.js 22 across all build stages for improved performance and security.
    • Removed suppressed vulnerability entries that are no longer applicable.

node:22-alpine ships with npm ≥ 10.9 which contains updated bundled
packages (cross-spawn, glob, minimatch, node-tar) that fix all 11 npm-
bundled CVEs previously suppressed in .trivyignore. Suppressions removed.

Closes #21
@coderabbitai

coderabbitai Bot commented Apr 20, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@OmarEhab007 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 53 minutes and 46 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 46 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54b5e82f-1f9e-489b-94a7-61573fac44af

📥 Commits

Reviewing files that changed from the base of the PR and between 2a8ce46 and c4dc4d3.

📒 Files selected for processing (1)
  • .trivyignore
📝 Walkthrough

Walkthrough

Updated Node.js base image in frontend Dockerfile from version 20 to 22 (Alpine Linux). Removed corresponding CVE suppressions from .trivyignore as these vulnerabilities are resolved in the newer Node.js version.

Changes

Cohort / File(s) Summary
Node.js Base Image Upgrade
frontend/Dockerfile
Updated base image from node:20-alpine to node:22-alpine across all three build stages (deps, builder, runner).
CVE Suppressions Cleanup
.trivyignore
Removed 11 npm-bundled CVE suppression entries (CVE-2024-21538, CVE-2025-64756, CVE-2026-26996, CVE-2026-27903, CVE-2026-27904, CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786, CVE-2026-31802) and associated comments for the node:20-alpine image, as these vulnerabilities are fixed in node:22-alpine.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

Poem

🐰 Hopping from node:20 to twenty-two,
CVEs vanish—vulnerabilities bid adieu!
Alpine alpine, now safer and bright,
Old suppressions fade into the night,
Dependencies dancing in security's light! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly reflects the main change—upgrading the frontend base image from node:20-alpine to node:22-alpine—which aligns with the primary objective in the PR.
Linked Issues check ✅ Passed All acceptance criteria from issue #21 are met: Dockerfile updated to node:22-alpine across all stages, CVE suppressions removed from .trivyignore, and changes are ready for CI validation.
Out of Scope Changes check ✅ Passed All changes are directly scoped to issue #21: base image upgrade and CVE suppression removal. No unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/GH-21-node22-alpine

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/Dockerfile`:
- Line 7: Update CI and type declarations to match the new Docker base image
node:22-alpine by changing all occurrences of node-version: "20" to "22" in the
GitHub workflows (.github/workflows/ci.yml and .github/workflows/security.yml),
bumping the frontend package type declaration `@types/node` from ^20 to ^22 in
frontend/package.json, and updating references to Node 22 in
specs/013-eks-containerization/tasks.md and
specs/013-eks-containerization/plan.md so the CI toolchain, TypeScript types,
and documentation align with the Docker runtime change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4cced153-8447-407b-8828-f2ef90bb7a7b

📥 Commits

Reviewing files that changed from the base of the PR and between 2e2d3c1 and 2a8ce46.

📒 Files selected for processing (2)
  • .trivyignore
  • frontend/Dockerfile
💤 Files with no reviewable changes (1)
  • .trivyignore

Comment thread frontend/Dockerfile
# Stage 1: Dependencies
#############################################
FROM node:20-alpine AS deps
FROM node:22-alpine AS deps

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Read-only check for frontend Node version drift across Dockerfile, package metadata, specs, and workflows.
# Expected result: Dockerfile, frontend CI setup-node version, and Node ambient types are intentionally aligned on Node 22,
# or any remaining Node 20 references are documented as intentional.

set -eu

echo "Dockerfile Node base images:"
rg -n 'FROM node:[0-9]+-alpine' frontend/Dockerfile

echo
echo "frontend/package.json Node type definitions:"
jq -r '.devDependencies["@types/node"] // empty' frontend/package.json

echo
echo "Spec references to setup-node / node versions:"
rg -n -C2 'setup-node|node 20|node-version|node-version-file' specs frontend package.json .github 2>/dev/null || true

echo
echo "Workflow setup-node blocks:"
fd -e yml -e yaml .github/workflows -x sh -c '
  echo "--- $1"
  sed -n "/setup-node/,+8p" "$1"
' sh {}

Repository: OmarEhab007/RemedyIQ

Length of output: 3849


Update CI workflows and TypeScript types to Node 22.

The Docker base image upgrade to node:22-alpine creates a mismatch with the CI toolchain. The workflows .github/workflows/ci.yml (lines 30-32) and .github/workflows/security.yml (lines 68-70, 143-145) still specify node-version: "20", and frontend/package.json declares @types/node: ^20. Update all three to Node 22:

  • Change node-version: "20" to "22" in both workflow files
  • Change @types/node: ^20 to ^22 in frontend/package.json
  • Update specs/013-eks-containerization/tasks.md and specs/013-eks-containerization/plan.md to reference Node 22

Without these changes, the frontend CI environment will diverge from the production Docker runtime.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@frontend/Dockerfile` at line 7, Update CI and type declarations to match the
new Docker base image node:22-alpine by changing all occurrences of
node-version: "20" to "22" in the GitHub workflows (.github/workflows/ci.yml and
.github/workflows/security.yml), bumping the frontend package type declaration
`@types/node` from ^20 to ^22 in frontend/package.json, and updating references to
Node 22 in specs/013-eks-containerization/tasks.md and
specs/013-eks-containerization/plan.md so the CI toolchain, TypeScript types,
and documentation align with the Docker runtime change.

npm in node:22-alpine bundles picomatch 4.0.3 which has a ReDoS (HIGH).
Same class as the 11 suppressions removed in the previous commit: lives
in usr/local/lib/node_modules/npm/, not reachable at runtime. Suppressed
until node:22-alpine ships with npm bundling picomatch ≥ 4.0.4.

Refs #21
@OmarEhab007 OmarEhab007 merged commit 33d302a into main Apr 20, 2026
12 checks passed
@OmarEhab007 OmarEhab007 deleted the fix/GH-21-node22-alpine branch April 20, 2026 12:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: upgrade frontend base image node:20-alpine to node:22-alpine

1 participant