Skip to content

Security: Node.js 18 is EOL — upgrade backend Dockerfile to Node.js 22 LTS #252

Description

@LucasMaupin

Summary

The backend `Dockerfile` uses `node:18-alpine` as its base image. Node.js 18 reached End-of-Life on April 30, 2025 and no longer receives security patches. The image tag is also not pinned to a specific digest, allowing silent updates to the base image.

Affected File

  • `Dockerfile`, line 1:
ARG NODE_IMAGE=node:18-alpine

Risk

  • Known (and future) CVEs in Node.js 18 will not be patched
  • Mutable image tags can silently pull in unexpected changes

Recommendation

Upgrade to Node.js 22 LTS (supported until April 2027) and pin to a digest:

ARG NODE_IMAGE=node:22-alpine
# or with digest pinning for reproducibility:
# ARG NODE_IMAGE=node:22-alpine@sha256:<pinned-digest>

Verify application compatibility with Node.js 22 via `npm test` after upgrade.

Severity

Low — No immediate exploit, but running EOL software means unpatched vulnerabilities accumulate over time.


Found by automated security audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions