Conversation
Resolves blinkbitcoin/blink-wip#395 Co-Authored-By: Claude Opus 4.6 <[email protected]>
There was a problem hiding this comment.
Pull request overview
Updates the Node.js base image tag in service Dockerfiles to a specific patch release (20.20.0-alpine) to mitigate the referenced Node CVE and ensure deployed containers run the intended Node version.
Changes:
- Bump
FROM node:20-alpinetoFROM node:20.20.0-alpineinrealtimebuild + runtime stages - Bump
FROM node:20-alpinetoFROM node:20.20.0-alpineinhistorybuild + runtime stages - Bump
historymigration image tonode:20.20.0-alpine
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| realtime/Dockerfile | Pins Node base image tag to 20.20.0-alpine for build + runtime stages. |
| history/Dockerfile | Pins Node base image tag to 20.20.0-alpine for build + runtime stages. |
| history/Dockerfile-migrate | Pins Node base image tag to 20.20.0-alpine for the migration image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,4 +1,4 @@ | |||
| FROM node:20-alpine AS BUILD_IMAGE | |||
| FROM node:20.20.0-alpine AS BUILD_IMAGE | |||
There was a problem hiding this comment.
Using a mutable tag (even with a pinned Node patch) can still lead to non-reproducible builds if the tag is rebuilt. For stronger supply-chain/reproducibility guarantees, consider pinning the base image by digest (node@sha256:...) and/or an explicit Alpine variant (e.g., -alpine3.xx) in both stages.
| @@ -1,4 +1,4 @@ | |||
| FROM node:20-alpine AS BUILD_IMAGE | |||
| FROM node:20.20.0-alpine AS BUILD_IMAGE | |||
There was a problem hiding this comment.
Using a mutable tag (even with a pinned Node patch) can still lead to non-reproducible builds if the tag is rebuilt. For stronger supply-chain/reproducibility guarantees, consider pinning the base image by digest (node@sha256:...) and/or an explicit Alpine variant (e.g., -alpine3.xx) in both stages.
| @@ -1,4 +1,4 @@ | |||
| FROM node:20-alpine | |||
| FROM node:20.20.0-alpine | |||
There was a problem hiding this comment.
Using a mutable tag (even with a pinned Node patch) can still lead to non-reproducible builds if the tag is rebuilt. For stronger supply-chain/reproducibility guarantees, consider pinning the base image by digest (node@sha256:...) and/or an explicit Alpine variant (e.g., -alpine3.xx).
| FROM node:20.20.0-alpine | |
| FROM node:20.20.0-alpine3.19 |
Summary
realtime/Dockerfile,history/Dockerfile,history/Dockerfile-migrate) fromnode:20-alpinetonode:20.20.0-alpineResolves blinkbitcoin/blink-wip#395
Test plan
node --version= 20.20.0🤖 Generated with Claude Code