fix(#21): upgrade frontend base image node:20-alpine → node:22-alpine#24
Conversation
node:22-alpine ships with npm ≥ 10.9 which contains updated bundled packages (cross-spawn, glob, minimatch, node-tar) that fix all 11 npm- bundled CVEs previously suppressed in .trivyignore. Suppressions removed. Closes #21
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 53 minutes and 46 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📝 WalkthroughWalkthroughUpdated Node.js base image in frontend Dockerfile from version 20 to 22 (Alpine Linux). Removed corresponding CVE suppressions from .trivyignore as these vulnerabilities are resolved in the newer Node.js version. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@frontend/Dockerfile`:
- Line 7: Update CI and type declarations to match the new Docker base image
node:22-alpine by changing all occurrences of node-version: "20" to "22" in the
GitHub workflows (.github/workflows/ci.yml and .github/workflows/security.yml),
bumping the frontend package type declaration `@types/node` from ^20 to ^22 in
frontend/package.json, and updating references to Node 22 in
specs/013-eks-containerization/tasks.md and
specs/013-eks-containerization/plan.md so the CI toolchain, TypeScript types,
and documentation align with the Docker runtime change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4cced153-8447-407b-8828-f2ef90bb7a7b
📒 Files selected for processing (2)
.trivyignorefrontend/Dockerfile
💤 Files with no reviewable changes (1)
- .trivyignore
| # Stage 1: Dependencies | ||
| ############################################# | ||
| FROM node:20-alpine AS deps | ||
| FROM node:22-alpine AS deps |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Description: Read-only check for frontend Node version drift across Dockerfile, package metadata, specs, and workflows.
# Expected result: Dockerfile, frontend CI setup-node version, and Node ambient types are intentionally aligned on Node 22,
# or any remaining Node 20 references are documented as intentional.
set -eu
echo "Dockerfile Node base images:"
rg -n 'FROM node:[0-9]+-alpine' frontend/Dockerfile
echo
echo "frontend/package.json Node type definitions:"
jq -r '.devDependencies["@types/node"] // empty' frontend/package.json
echo
echo "Spec references to setup-node / node versions:"
rg -n -C2 'setup-node|node 20|node-version|node-version-file' specs frontend package.json .github 2>/dev/null || true
echo
echo "Workflow setup-node blocks:"
fd -e yml -e yaml .github/workflows -x sh -c '
echo "--- $1"
sed -n "/setup-node/,+8p" "$1"
' sh {}Repository: OmarEhab007/RemedyIQ
Length of output: 3849
Update CI workflows and TypeScript types to Node 22.
The Docker base image upgrade to node:22-alpine creates a mismatch with the CI toolchain. The workflows .github/workflows/ci.yml (lines 30-32) and .github/workflows/security.yml (lines 68-70, 143-145) still specify node-version: "20", and frontend/package.json declares @types/node: ^20. Update all three to Node 22:
- Change
node-version: "20"to"22"in both workflow files - Change
@types/node: ^20to^22infrontend/package.json - Update
specs/013-eks-containerization/tasks.mdandspecs/013-eks-containerization/plan.mdto reference Node 22
Without these changes, the frontend CI environment will diverge from the production Docker runtime.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@frontend/Dockerfile` at line 7, Update CI and type declarations to match the
new Docker base image node:22-alpine by changing all occurrences of
node-version: "20" to "22" in the GitHub workflows (.github/workflows/ci.yml and
.github/workflows/security.yml), bumping the frontend package type declaration
`@types/node` from ^20 to ^22 in frontend/package.json, and updating references to
Node 22 in specs/013-eks-containerization/tasks.md and
specs/013-eks-containerization/plan.md so the CI toolchain, TypeScript types,
and documentation align with the Docker runtime change.
npm in node:22-alpine bundles picomatch 4.0.3 which has a ReDoS (HIGH). Same class as the 11 suppressions removed in the previous commit: lives in usr/local/lib/node_modules/npm/, not reachable at runtime. Suppressed until node:22-alpine ships with npm bundling picomatch ≥ 4.0.4. Refs #21
Summary
Test plan
Closes #21
Glossary
Summary by CodeRabbit