fix(ci): Node.js 20 → 24 LTS + pipeline fixes (#366, #367) #368

jason.woltje · 2026-02-13T21:50:18Z

jason.woltje commented

2026-02-13 21:50:18 +00:00

Summary

Node.js 20 to 24 LTS migration (#367): Updated all Dockerfiles, CI pipelines, and engine constraint to node:24-alpine
CI pipeline fixes (#366): Fixed web @mosaic/ui build ordering, orchestrator Dockerfile find bug, event handler TypeScript types
Trivy suppression correction: tar CVEs traced to Next.js 16.1.6 bundled tar 7.5.2 (not npm) — documented accurately in .trivyignore
Spec file cleanup: Compiled test fixtures removed in builder stage to prevent Trivy secret scan false positives

Test plan

Full monorepo build passes on Node 24
Web tests: 811 passed (23 skipped)
Orchestrator tests: 734 passed
API tests: 2553 passed (4 pre-existing)
All 3 Docker images build successfully on node:24-alpine
Trivy scan passes with .trivyignore
CI pipelines passed

Fixes #366, Fixes #367

## Summary - Node.js 20 to 24 LTS migration (#367): Updated all Dockerfiles, CI pipelines, and engine constraint to node:24-alpine - CI pipeline fixes (#366): Fixed web @mosaic/ui build ordering, orchestrator Dockerfile find bug, event handler TypeScript types - Trivy suppression correction: tar CVEs traced to Next.js 16.1.6 bundled tar 7.5.2 (not npm) — documented accurately in .trivyignore - Spec file cleanup: Compiled test fixtures removed in builder stage to prevent Trivy secret scan false positives ## Test plan - [x] Full monorepo build passes on Node 24 - [x] Web tests: 811 passed (23 skipped) - [x] Orchestrator tests: 734 passed - [x] API tests: 2553 passed (4 pre-existing) - [x] All 3 Docker images build successfully on node:24-alpine - [x] Trivy scan passes with .trivyignore - [x] CI pipelines passed Fixes #366, Fixes #367

jason.woltje added 2 commits 2026-02-13 21:50:19 +00:00

fix(ci): move spec removal to builder stage + suppress tar CVEs

ci/woodpecker/push/orchestrator Pipeline was successful

Details

7fb70210a4

Two Trivy fixes:

1. Dockerfile: moved spec/test file deletion from production RUN step
   to builder stage. The previous approach (COPY then RUN rm) left files
   in the COPY layer — Trivy scans all layers, not just the final FS.
   Now spec files are deleted in builder BEFORE COPY to production.

2. .trivyignore: added 3 tar CVEs (CVE-2026-23745/23950/24842) with
   documented rationale. tar@7.5.2 is bundled inside npm which ships
   with node:20-alpine. Not upgradeable — not our dependency. npm is
   already removed from all production images.

Verified: local Trivy scan passes (exit code 0, 0 findings)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

fix(#367 ): migrate Node.js 20 → 24 LTS

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

ci/woodpecker/push/api Pipeline was successful

Details

0363a14098

Node.js 24 (Krypton) entered Active LTS on 2026-02-09. Update all
Dockerfiles, CI pipelines, and engine constraint from node:20-alpine
to node:24-alpine. Corrected .trivyignore: tar CVEs come from Next.js
16.1.6 bundled tar@7.5.2 (not npm). Orchestrator and API images are
clean; web image needs Next.js upstream fix.

Fixes #367

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

jason.woltje added 1 commit 2026-02-13 23:17:58 +00:00

Merge branch 'develop' into fix/ci-366

ci/woodpecker/push/orchestrator Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

46be7aa36f

jason.woltje merged commit 1b3ff1b5e1 into develop

2026-02-13 23:18:05 +00:00

jason.woltje deleted branch fix/ci-366

2026-02-13 23:18:05 +00:00

jason.woltje referenced this issue from a commit

2026-02-13 23:18:07 +00:00

Merge pull request 'fix(ci): Node.js 20 → 24 LTS + pipeline fixes (#366, #367)' (#368) from fix/ci-366 into develop

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#368