DEFRA · johnwatson484 · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026 · Jun 19, 2026
diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml
@@ -8,9 +8,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   check-and-update:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
@@ -5,10 +5,14 @@ on:
     branches: [ '**' ]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
 
   get-matrix-values:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       image: ${{ steps.set-var.outputs.image }}
     steps:
@@ -22,6 +26,8 @@ jobs:
 
   build-images:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:  get-matrix-values
     strategy:
       fail-fast: false
@@ -188,6 +194,8 @@ jobs:
 
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     needs: build-images
     steps:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5

diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
@@ -4,9 +4,13 @@ on:
   schedule:
     - cron: '0 1 * * *'
 
+permissions: {}
+
 jobs:
   get-matrix-values:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       image: ${{ steps.set-var.outputs.image }}
     steps:
@@ -19,6 +23,8 @@ jobs:
 
   anchore-scan:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs:  get-matrix-values
     strategy:
       matrix:

diff --git a/.grype.yaml b/.grype.yaml
@@ -1,13 +1,16 @@
 ignore:
   - vulnerability: GHSA-3v7f-55p6-f55p
-    reason: "Node: 22,24: picomatch patched but not yet available in Node.js base images"
+    reason: "Node: 22,24: npm picomatch"
   - vulnerability: CVE-2025-60876
-    reason: "Node: 22,24: BusyBox wget HTTP header injection, no fix available"
+    reason: "Node: 22,24: BusyBox"
   - vulnerability: GHSA-c2c7-rcm5-vvqj
-    reason: "Node: 22,24: picomatch patched but not yet available in Node.js base images"
+    reason: "Node: 22,24: npm picomatch"
   - vulnerability: GHSA-f886-m6hf-6m8v
-    reason: "Node: 22,24: brace-expansion patched but not yet available in Node.js base images"
+    reason: "Node: 22,24: npm brace-expansion"
   - vulnerability: GHSA-v2v4-37r5-5v8g
-    reason: "Node: 22,24: ip-address patched but not yet available in Node.js base images"
+    reason: "Node: 22,24: npm ip-address"
   - vulnerability: GHSA-jxxr-4gwj-5jf2
-    reason: "Node: 24: brace-expansion patched but not yet available in Node.js base images"
+    reason: "Node: 24: npm brace-expansion"
+  - vulnerability: GHSA-vmf3-w455-68vh
+    reason: "Node: 22,24: npm tar"
+
diff --git a/.trivyignore b/.trivyignore
@@ -1,12 +1,15 @@
-# Node: 22,24: brace-expansion patched but not yet available in Node.js base images
+# Node: 22,24: npm brace-expansion
 CVE-2026-33750
 
-# Node: 22,24: picomatch patched but not yet available in Node.js base images
+# Node: 22,24: npm picomatch
 CVE-2026-33671
 CVE-2026-33672
 
-# Node: 22,24: ip-address patched but not yet available in Node.js base images
+# Node: 22,24: npm ip-address
 CVE-2026-42338
 
-# Node: 24: brace-expansion patched but not yet available in Node.js base images
+# Node: 24: npm brace-expansion
 CVE-2026-45149
+
+# Node: 22,24: npm tar
+CVE-2026-53655
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Set default values for build arguments
-ARG DEFRA_VERSION=3.0.10
-ARG BASE_VERSION=24.16.0-alpine3.23
+ARG DEFRA_VERSION=3.1.0
+ARG BASE_VERSION=24.17.0-alpine3.24
 
 FROM node:$BASE_VERSION AS production
 

diff --git a/JOB.env b/JOB.env
@@ -1,2 +1,2 @@
-DEFRA_VERSION=3.0.10
+DEFRA_VERSION=3.1.0
 IMAGE_NAME=node
diff --git a/README.md b/README.md
@@ -14,9 +14,8 @@ The following table lists the versions of node available, and the parent Node.js
 
 | Node version  | Parent image       |
 | ------------- | -----------------  |
-| 20.20.2       | 20.20.2-alpine3.23 |
-| 22.22.3       | 22.22.3-alpine3.23 |
-| 24.16.0       | 24.16.0-alpine3.23 |
+| 22.23.0       | 22.23.0-alpine3.24 |
+| 24.17.0       | 24.17.0-alpine3.24 |
 
 Two parent images are created for each version:
 

diff --git a/image-matrix.json b/image-matrix.json
@@ -1,4 +1,4 @@
  [
-    {"nodeVersion": "22.22.3", "alpineVersion": "3.23", "tags": ["latest-22"]},
-    {"nodeVersion": "24.16.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
+    {"nodeVersion": "22.23.0", "alpineVersion": "3.24", "tags": ["latest-22"]},
+    {"nodeVersion": "24.17.0", "alpineVersion": "3.24", "tags": ["latest-24", "latest"]}
 ]