From d4250dcaffc4db82d381c068a80c23f7b0155250 Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 19 Jun 2026 13:12:05 +0100 Subject: [PATCH 1/5] Update Alpine to 3.24 --- Dockerfile | 4 ++-- JOB.env | 2 +- README.md | 5 ++--- image-matrix.json | 4 ++-- 4 files changed, 7 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index a5d3b64..7a18914 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Set default values for build arguments -ARG DEFRA_VERSION=3.0.10 -ARG BASE_VERSION=24.16.0-alpine3.23 +ARG DEFRA_VERSION=3.1.0 +ARG BASE_VERSION=24.16.0-alpine3.24 FROM node:$BASE_VERSION AS production diff --git a/JOB.env b/JOB.env index 1e73317..b37cb78 100644 --- a/JOB.env +++ b/JOB.env @@ -1,2 +1,2 @@ -DEFRA_VERSION=3.0.10 +DEFRA_VERSION=3.1.0 IMAGE_NAME=node diff --git a/README.md b/README.md index 02ba148..71f2cbd 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,8 @@ The following table lists the versions of node available, and the parent Node.js | Node version | Parent image | | ------------- | ----------------- | -| 20.20.2 | 20.20.2-alpine3.23 | -| 22.22.3 | 22.22.3-alpine3.23 | -| 24.16.0 | 24.16.0-alpine3.23 | +| 22.22.3 | 22.22.3-alpine3.24 | +| 24.16.0 | 24.16.0-alpine3.24 | Two parent images are created for each version: diff --git a/image-matrix.json b/image-matrix.json index 2e371bf..e38946a 100644 --- a/image-matrix.json +++ b/image-matrix.json @@ -1,4 +1,4 @@ [ - {"nodeVersion": "22.22.3", "alpineVersion": "3.23", "tags": ["latest-22"]}, - {"nodeVersion": "24.16.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]} + {"nodeVersion": "22.22.3", "alpineVersion": "3.24", "tags": ["latest-22"]}, + {"nodeVersion": "24.16.0", "alpineVersion": "3.24", "tags": ["latest-24", "latest"]} ] From 8761e5ab7228041af82b1d4cb2e85dd0d22ff4be Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 19 Jun 2026 13:16:31 +0100 Subject: [PATCH 2/5] Update exclusions --- .grype.yaml | 14 ++------------ .trivyignore | 14 ++------------ 2 files changed, 4 insertions(+), 24 deletions(-) diff --git a/.grype.yaml b/.grype.yaml index e885bbc..ece9f1b 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,13 +1,3 @@ ignore: - - vulnerability: GHSA-3v7f-55p6-f55p - reason: "Node: 22,24: picomatch patched but not yet available in Node.js base images" - - vulnerability: CVE-2025-60876 - reason: "Node: 22,24: BusyBox wget HTTP header injection, no fix available" - - vulnerability: GHSA-c2c7-rcm5-vvqj - reason: "Node: 22,24: picomatch patched but not yet available in Node.js base images" - - vulnerability: GHSA-f886-m6hf-6m8v - reason: "Node: 22,24: brace-expansion patched but not yet available in Node.js base images" - - vulnerability: GHSA-v2v4-37r5-5v8g - reason: "Node: 22,24: ip-address patched but not yet available in Node.js base images" - - vulnerability: GHSA-jxxr-4gwj-5jf2 - reason: "Node: 24: brace-expansion patched but not yet available in Node.js base images" + - vulnerability: GHSA-vmf3-w455-68vh + reason: "Node: 22,24: npm tar" diff --git a/.trivyignore b/.trivyignore index 64bcf79..d3392b8 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,12 +1,2 @@ -# Node: 22,24: brace-expansion patched but not yet available in Node.js base images -CVE-2026-33750 - -# Node: 22,24: picomatch patched but not yet available in Node.js base images -CVE-2026-33671 -CVE-2026-33672 - -# Node: 22,24: ip-address patched but not yet available in Node.js base images -CVE-2026-42338 - -# Node: 24: brace-expansion patched but not yet available in Node.js base images -CVE-2026-45149 +# Node: 22,24: npm tar +CVE-2026-53655 From cfa977b6af5b8ac1f130a571a6de13104b171962 Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 19 Jun 2026 13:22:46 +0100 Subject: [PATCH 3/5] Update exclusions --- .grype.yaml | 13 +++++++++++++ .trivyignore | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/.grype.yaml b/.grype.yaml index ece9f1b..28c2577 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,3 +1,16 @@ ignore: + - vulnerability: GHSA-3v7f-55p6-f55p + reason: "Node: 22,24: npm picomatch" + - vulnerability: CVE-2025-60876 + reason: "Node: 22,24: BusyBox" + - vulnerability: GHSA-c2c7-rcm5-vvqj + reason: "Node: 22,24: npm picomatch" + - vulnerability: GHSA-f886-m6hf-6m8v + reason: "Node: 22,24: npm brace-expansion" + - vulnerability: GHSA-v2v4-37r5-5v8g + reason: "Node: 22,24: npm ip-address" + - vulnerability: GHSA-jxxr-4gwj-5jf2 + reason: "Node: 24: npm brace-expansion" - vulnerability: GHSA-vmf3-w455-68vh reason: "Node: 22,24: npm tar" + diff --git a/.trivyignore b/.trivyignore index d3392b8..f95ccff 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,2 +1,15 @@ +# Node: 22,24: npm brace-expansion +CVE-2026-33750 + +# Node: 22,24: npm picomatch +CVE-2026-33671 +CVE-2026-33672 + +# Node: 22,24: npm ip-address +CVE-2026-42338 + +# Node: 24: npm brace-expansion +CVE-2026-45149 + # Node: 22,24: npm tar CVE-2026-53655 From b5875592500afa3aa2c29e4b1709556ecc93de3d Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 19 Jun 2026 13:27:27 +0100 Subject: [PATCH 4/5] Update Node --- Dockerfile | 2 +- README.md | 4 ++-- image-matrix.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7a18914..1ee22a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Set default values for build arguments ARG DEFRA_VERSION=3.1.0 -ARG BASE_VERSION=24.16.0-alpine3.24 +ARG BASE_VERSION=24.17.0-alpine3.24 FROM node:$BASE_VERSION AS production diff --git a/README.md b/README.md index 71f2cbd..b1cf041 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,8 @@ The following table lists the versions of node available, and the parent Node.js | Node version | Parent image | | ------------- | ----------------- | -| 22.22.3 | 22.22.3-alpine3.24 | -| 24.16.0 | 24.16.0-alpine3.24 | +| 22.23.0 | 22.23.0-alpine3.24 | +| 24.17.0 | 24.17.0-alpine3.24 | Two parent images are created for each version: diff --git a/image-matrix.json b/image-matrix.json index e38946a..b1ef93b 100644 --- a/image-matrix.json +++ b/image-matrix.json @@ -1,4 +1,4 @@ [ - {"nodeVersion": "22.22.3", "alpineVersion": "3.24", "tags": ["latest-22"]}, - {"nodeVersion": "24.16.0", "alpineVersion": "3.24", "tags": ["latest-24", "latest"]} + {"nodeVersion": "22.23.0", "alpineVersion": "3.24", "tags": ["latest-22"]}, + {"nodeVersion": "24.17.0", "alpineVersion": "3.24", "tags": ["latest-24", "latest"]} ] From 5b5c9af2d91cf92621c4cc1f2a757634aac000f3 Mon Sep 17 00:00:00 2001 From: John Watson Date: Fri, 19 Jun 2026 13:36:03 +0100 Subject: [PATCH 5/5] Add GitHub permissions --- .github/workflows/auto-update.yml | 4 ++++ .github/workflows/build-scan-push.yml | 8 ++++++++ .github/workflows/nightly-scan.yml | 6 ++++++ 3 files changed, 18 insertions(+) diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml index f851020..8c1b8d0 100644 --- a/.github/workflows/auto-update.yml +++ b/.github/workflows/auto-update.yml @@ -8,9 +8,13 @@ on: branches: - main +permissions: {} + jobs: check-and-update: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml index c971fd2..00b46dd 100644 --- a/.github/workflows/build-scan-push.yml +++ b/.github/workflows/build-scan-push.yml @@ -5,10 +5,14 @@ on: branches: [ '**' ] workflow_dispatch: +permissions: {} + jobs: get-matrix-values: runs-on: ubuntu-latest + permissions: + contents: read outputs: image: ${{ steps.set-var.outputs.image }} steps: @@ -22,6 +26,8 @@ jobs: build-images: runs-on: ubuntu-latest + permissions: + contents: read needs: get-matrix-values strategy: fail-fast: false @@ -188,6 +194,8 @@ jobs: create-release: runs-on: ubuntu-latest + permissions: + contents: write needs: build-images steps: - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml index 00f8481..d389b0a 100644 --- a/.github/workflows/nightly-scan.yml +++ b/.github/workflows/nightly-scan.yml @@ -4,9 +4,13 @@ on: schedule: - cron: '0 1 * * *' +permissions: {} + jobs: get-matrix-values: runs-on: ubuntu-latest + permissions: + contents: read outputs: image: ${{ steps.set-var.outputs.image }} steps: @@ -19,6 +23,8 @@ jobs: anchore-scan: runs-on: ubuntu-latest + permissions: + contents: read needs: get-matrix-values strategy: matrix: