mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

fix(#367): migrate Node.js 20 → 24 LTS
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-13 15:20:01 -06:00
parent 7fb70210a4
commit 0363a14098
8 changed files with 27 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
.trivyignore
View File

@@ -1,12 +1,13 @@
# Trivy CVE Suppressions — Upstream Dependencies # Trivy CVE Suppressions — Upstream Dependencies
# Reviewed: 2026-02-12 | Milestone: M11-CIPipeline # Reviewed: 2026-02-13 | Milestone: M11-CIPipeline
# #
# MITIGATED in this sprint: # MITIGATED:
# - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26 # - Go stdlib CVEs (6): gosu rebuilt from source with Go 1.26
# - npm bundled CVEs (5): npm removed from production Node.js images # - npm bundled CVEs (5): npm removed from production Node.js images
# - Node.js 20 → 24 LTS migration (#367): base images updated
# #
# REMAINING: OpenBao only (5 CVEs — 4 false positives + 1 upstream Go stdlib) # REMAINING: OpenBao (5 CVEs) + Next.js bundled tar (3 CVEs)
# Re-evaluate when upgrading openbao image beyond 2.5.0. # Re-evaluate when upgrading openbao image beyond 2.5.0 or Next.js beyond 16.1.6.
# === OpenBao false positives === # === OpenBao false positives ===
# Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao # Trivy reads Go module pseudo-version (v0.0.0-20260204...) from bin/bao
@@ -16,19 +17,15 @@ CVE-2024-9180 # HIGH: privilege escalation (fixed in 2.0.3)
CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1) CVE-2025-59043 # HIGH: DoS via malicious JSON (fixed in 2.4.1)
CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4) CVE-2025-64761 # HIGH: identity group root escalation (fixed in 2.4.4)
# === npm bundled tar CVEs (not upgradeable — not our dependency) === # === Next.js bundled tar CVEs (upstream — waiting on Next.js release) ===
# Why suppressed instead of fixed: # Next.js 16.1.6 bundles tar@7.5.2 in next/dist/compiled/tar/ (pre-compiled).
# - tar@7.5.2 is bundled INSIDE npm, which ships with the node:20-alpine base image # This is NOT a pnpm dependency — it's embedded in the Next.js package itself.
# - It is NOT in pnpm-lock.yaml — not a direct or transitive app dependency # Affects web image only (orchestrator and API are clean).
# - We already remove npm from all production images: # npm was also removed from all production images, eliminating the npm-bundled copy.
# `RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx` # To resolve: upgrade Next.js when a release bundles tar >= 7.5.7.
# - Locally-built images have zero tar packages (verified via Trivy scan 2026-02-12) CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths (fixed in 7.5.3)
# - CVEs may reappear in CI due to Docker layer caching of the base image CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision (fixed in 7.5.4)
# To fully eliminate: switch to a distroless/slim base image without npm, or CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal (needs tar >= 7.5.7)
# wait for Node.js 20 to bundle a patched npm release.
CVE-2026-23745 # HIGH: tar arbitrary file overwrite via unsanitized linkpaths
CVE-2026-23950 # HIGH: tar arbitrary file overwrite via Unicode path collision
CVE-2026-24842 # HIGH: tar arbitrary file creation via hardlink path traversal
# === OpenBao Go stdlib (waiting on upstream rebuild) === # === OpenBao Go stdlib (waiting on upstream rebuild) ===
# OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7. # OpenBao 2.5.0 compiled with Go 1.25.6, fix needs Go >= 1.25.7.

2
.woodpecker/api.yml
View File

@@ -17,7 +17,7 @@ when:
- ".woodpecker/api.yml" - ".woodpecker/api.yml"
variables: variables:
- &node_image "node:20-alpine" - &node_image "node:24-alpine"
- &install_deps | - &install_deps |
corepack enable corepack enable
pnpm install --frozen-lockfile pnpm install --frozen-lockfile

2
.woodpecker/orchestrator.yml
View File

@@ -17,7 +17,7 @@ when:
- ".woodpecker/orchestrator.yml" - ".woodpecker/orchestrator.yml"
variables: variables:
- &node_image "node:20-alpine" - &node_image "node:24-alpine"
- &install_deps | - &install_deps |
corepack enable corepack enable
pnpm install --frozen-lockfile pnpm install --frozen-lockfile

2
.woodpecker/web.yml
View File

@@ -17,7 +17,7 @@ when:
- ".woodpecker/web.yml" - ".woodpecker/web.yml"
variables: variables:
- &node_image "node:20-alpine" - &node_image "node:24-alpine"
- &install_deps | - &install_deps |
corepack enable corepack enable
pnpm install --frozen-lockfile pnpm install --frozen-lockfile

7
apps/api/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts # Enable BuildKit features for cache mounts
# Base image for all stages # Base image for all stages
FROM node:20-alpine AS base FROM node:24-alpine AS base
# Install pnpm globally # Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -53,10 +53,9 @@ RUN pnpm turbo build --filter=@mosaic/api --force
# ====================== # ======================
# Production stage # Production stage
# ====================== # ======================
FROM node:20-alpine AS production FROM node:24-alpine AS production
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs # Remove npm (unused in production — we use pnpm) to reduce attack surface
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install dumb-init for proper signal handling # Install dumb-init for proper signal handling

7
apps/orchestrator/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts # Enable BuildKit features for cache mounts
# Base image for all stages # Base image for all stages
FROM node:20-alpine AS base FROM node:24-alpine AS base
# Install pnpm globally # Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -57,7 +57,7 @@ RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map'
# ====================== # ======================
# Production stage # Production stage
# ====================== # ======================
FROM node:20-alpine AS production FROM node:24-alpine AS production
# Add metadata labels # Add metadata labels
LABEL maintainer="mosaic-team@mosaicstack.dev" LABEL maintainer="mosaic-team@mosaicstack.dev"
@@ -68,8 +68,7 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
LABEL org.opencontainers.image.title="Mosaic Orchestrator" LABEL org.opencontainers.image.title="Mosaic Orchestrator"
LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack" LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs # Remove npm (unused in production — we use pnpm) to reduce attack surface
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install wget and dumb-init # Install wget and dumb-init

7
apps/web/Dockerfile
View File

@@ -2,7 +2,7 @@
# Enable BuildKit features for cache mounts # Enable BuildKit features for cache mounts
# Base image for all stages # Base image for all stages
FROM node:20-alpine AS base FROM node:24-alpine AS base
# Install pnpm globally # Install pnpm globally
RUN corepack enable && corepack prepare pnpm@10.27.0 --activate RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -75,10 +75,9 @@ RUN mkdir -p ./apps/web/public
# ====================== # ======================
# Production stage # Production stage
# ====================== # ======================
FROM node:20-alpine AS production FROM node:24-alpine AS production
# Remove npm (unused in production — we use pnpm) to eliminate bundled CVEs # Remove npm (unused in production — we use pnpm) to reduce attack surface
# (cross-spawn CVE-2024-21538, glob CVE-2025-64756, tar CVE-2026-23745/23950/24842)
RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
# Install pnpm (needed for pnpm start command) # Install pnpm (needed for pnpm start command)

2
package.json
View File

@@ -5,7 +5,7 @@
"type": "module", "type": "module",
"packageManager": "pnpm@10.19.0", "packageManager": "pnpm@10.19.0",
"engines": { "engines": {
"node": ">=20.0.0" "node": ">=24.0.0"
}, },
"scripts": { "scripts": {
"build": "turbo run build", "build": "turbo run build",