mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#367): migrate Node.js 20 → 24 LTS
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-13 15:20:01 -06:00
parent 7fb70210a4
commit 0363a14098
8 changed files with 27 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
apps/api/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts
# Base image for all stages
FROM node:20-alpine AS base
FROM node:24-alpine AS base
# Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -53,10 +53,9 @@ RUN pnpm turbo build --filter=@mosaic/api --force
# ======================
# Production stage
# ======================
FROM node:20-alpine AS production
FROM node:24-alpine AS production
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
# Remove npm (unused in production — we use pnpm) to reduce attack surface
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install dumb-init for proper signal handling

7
apps/orchestrator/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts
# Base image for all stages
FROM node:20-alpine AS base
FROM node:24-alpine AS base
# Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -57,7 +57,7 @@ RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map'
# ======================
# Production stage
# ======================
FROM node:20-alpine AS production
FROM node:24-alpine AS production
# Add metadata labels
LABEL maintainer="mosaic-team@mosaicstack.dev"
@@ -68,8 +68,7 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
LABEL org.opencontainers.image.title="Mosaic Orchestrator"
LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
# Remove npm (unused in production — we use pnpm) to reduce attack surface
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install wget and dumb-init

7
apps/web/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts
# Base image for all stages
FROM node:20-alpine AS base
FROM node:24-alpine AS base
# Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -75,10 +75,9 @@ RUN mkdir -p ./apps/web/public
# ======================
# Production stage
# ======================
FROM node:20-alpine AS production
FROM node:24-alpine AS production
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
# Remove npm (unused in production — we use pnpm) to reduce attack surface
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install pnpm (needed for pnpm start command)