Summary
The backend `Dockerfile` uses `node:18-alpine` as its base image. Node.js 18 reached End-of-Life on April 30, 2025 and no longer receives security patches. The image tag is also not pinned to a specific digest, allowing silent updates to the base image.
Affected File
ARG NODE_IMAGE=node:18-alpine
Risk
- Known (and future) CVEs in Node.js 18 will not be patched
- Mutable image tags can silently pull in unexpected changes
Recommendation
Upgrade to Node.js 22 LTS (supported until April 2027) and pin to a digest:
ARG NODE_IMAGE=node:22-alpine
# or with digest pinning for reproducibility:
# ARG NODE_IMAGE=node:22-alpine@sha256:<pinned-digest>
Verify application compatibility with Node.js 22 via `npm test` after upgrade.
Severity
Low — No immediate exploit, but running EOL software means unpatched vulnerabilities accumulate over time.
Found by automated security audit.
Summary
The backend `Dockerfile` uses `node:18-alpine` as its base image. Node.js 18 reached End-of-Life on April 30, 2025 and no longer receives security patches. The image tag is also not pinned to a specific digest, allowing silent updates to the base image.
Affected File
ARG NODE_IMAGE=node:18-alpineRisk
Recommendation
Upgrade to Node.js 22 LTS (supported until April 2027) and pin to a digest:
Verify application compatibility with Node.js 22 via `npm test` after upgrade.
Severity
Low — No immediate exploit, but running EOL software means unpatched vulnerabilities accumulate over time.
Found by automated security audit.