diff --git a/Dockerfile b/Dockerfile index 09d0130..7c9a1f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,17 +3,20 @@ # --------------------------------------------------------------------------- # Base image pin # --------------------------------------------------------------------------- -# Pinned to a specific minor (20.19) so rebuilds are reproducible and satisfy -# the package.json `engines` constraint (">=20.19 <22 || >=22.12"). +# Pinned to Node 24 (Active LTS, supported until ~April 2028) so rebuilds are +# reproducible and satisfy the package.json `engines` constraint +# (">=20.19 <22 || >=22.12"). Node 20 is EOL (~April 2026) and its frozen +# `20.19-alpine` snapshot accumulates unpatched CVEs, so we track the +# actively-patched 24.x line instead. # A digest pin is PREFERRED for full immutability, e.g.: -# FROM node:20.19-alpine@sha256: -# Add the real sha256 (from `docker buildx imagetools inspect node:20.19-alpine`) +# FROM node:24-alpine@sha256: +# Add the real sha256 (from `docker buildx imagetools inspect node:24-alpine`) # when you have network access. We do NOT invent a fake digest here. # =========================================================================== # Stage 1 — builder: install ALL deps, generate Prisma client, build the app # =========================================================================== -FROM node:20.19-alpine AS builder +FROM node:24-alpine AS builder # openssl is required by Prisma's engines. RUN apk add --no-cache openssl @@ -34,7 +37,7 @@ RUN npx prisma generate \ # =========================================================================== # Stage 2 — runtime: pruned prod deps + only the artifacts needed to run # =========================================================================== -FROM node:20.19-alpine AS runtime +FROM node:24-alpine AS runtime # openssl for Prisma engines at runtime (migrate deploy / query engine). RUN apk add --no-cache openssl