Skip to content
This repository was archived by the owner on May 1, 2026. It is now read-only.

[Node EOL] Upgrade to Node 24 LTS#1

Draft
clintonAbridge wants to merge 2 commits into
mainfrom
infra-security/node-24-eol-2026-04-24
Draft

[Node EOL] Upgrade to Node 24 LTS#1
clintonAbridge wants to merge 2 commits into
mainfrom
infra-security/node-24-eol-2026-04-24

Conversation

@clintonAbridge
Copy link
Copy Markdown

@clintonAbridge clintonAbridge commented Apr 24, 2026

Summary

Migrates this NVIDIA Riva websocket bridge from Node 16 to Node 24 LTS to address EOL findings from Semgrep supply-chain rules (SEC-382). This is the largest jump in the batch (16 -> 24), so the full step-3 breaking-change audit from the node-24-upgrade skill applies.

Findings addressed

  • Dockerfile:1abridge.supply-chain.dockerfile-node16-eol (high)

Changes

  • Dockerfile: base image node:16 -> Chainguard FIPS node-fips:24 (pinned by digest per security standard). Dropped the npm install -g npm@8.5.5 pin — Node 24 ships npm 11, and the old pin would be a downgrade.
  • .circleci/config.yml: node/test orb version: '16.10' -> '24.0'. Orb kept at circleci/node@4.7 (already supports cimg/node:24.0).
  • package.json: no engines.node field to update; left untouched.

Breaking-change audit (per node-24-upgrade skill)

Scope: server.js, modules/, tests/, riva_client/.

Node 16 -> 18 cliff (most disruptive hurdle for this repo):

  • createHash('md4') / --openssl-legacy-provider / legacy ciphers (des-ede3-cbc, rc2, bf-cbc, rc4, ripemd160, md4): no hits in source or Dockerfile.
  • Embedded cert strength: certificates/cert.pem is 4096-bit RSA + SHA256 (regenerated fresh via make_certs.sh with rsa:4096). Safely above OpenSSL 3.5 level 2's 2048-bit RSA minimum.
  • node-fetch / abort-controller as direct deps: not present — no polyfill removal needed.
  • HTTP headersTimeout / requestTimeout overrides: none. The server uses https.createServer(...).listen() with no timeout tuning, so it'll pick up the Node 18+ defaults (60s headers / 300s request). Websocket upgrade requests complete quickly so this should be fine; slow-ASR long-lived connections happen after the WS upgrade via ws library, not the HTTP server, so they're unaffected.
  • server.address().family (string -> integer): no references.

Node 18 -> 20:

  • new WASI(...), autoSelectFamily, process.exit with non-number: no hits.

Node 20 -> 22:

  • require('punycode'), require('sys'), --loader, crypto.createCipher: no hits.
  • fs.read / fs.readSync without buffer: no hits.

Node 23 / 24 removals:

  • dirent.path, fs.F_OK direct, process.assert, url.parse, util.isX, util._extend, util.log, zlib.bytesRead: no hits.

Native addons / deps worth flagging for reviewers (not blocking this diff):

  • grpc@^1.24.11 — the legacy native-addon gRPC package; deprecated upstream for years and almost certainly won't have prebuilt binaries for Node 24's NODE_MODULE_VERSION 137. @grpc/grpc-js@^1.7.1 is already a dep and is the modern pure-JS replacement. Recommend removing grpc in a follow-up; a quick grep shows no require('grpc') in server.js / modules/ / riva_client/ so it may already be dead.
  • jest@^28.1.3 — skill recommends Jest v29+ for Node 22 and v30 for Node 24. Existing tests may throw jest-environment-node errors; flag for a follow-up bump.
  • bluebird / regenerator-runtime — ES5-era polyfills; likely no-ops on Node 24 but not required.

Tests added

None — no behavioral changes beyond version refs.

How this was tested

  • npm ci — skipped locally (audit workstation; gRPC native addon install is finicky).
  • npm test (Jest 28) — CircleCI will validate on cimg/node:24.0. Expect potential fallout from Jest 28 on Node 24; see flagged follow-up above.
  • Docker build — skipped locally; Chainguard FIPS image not pullable from this workstation.

Reviewers

  • @abridgeai/platform-engineering — as code owner
  • @abridgeai/product-security — security review (Node EOL work)

🤖 Generated with Claude Code

@clintonAbridge @claude
Upgrade to Node 24 LTS (EOL migration)
46cce99 
Node.js EOL migration — Node 24 LTS

Addresses Node 16/18/20 EOL findings detected by Semgrep rules:
- abridge.supply-chain.dockerfile-node{XX}-eol
- abridge.supply-chain.nvmrc-node{XX}-eol

See SEC-382 and the node-24-upgrade skill for context.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@clintonAbridge clintonAbridge requested review from a team April 24, 2026 18:50
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 24, 2026
edited
Loading

Warning

Rate limit exceeded

@clintonAbridge has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 9 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 5 minutes and 9 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 4ef918f5-e84b-4988-b2a9-2205e67104cd

📥 Commits

Reviewing files that changed from the base of the PR and between 6f455c8 and 2abc127.

📒 Files selected for processing (2)
  • .circleci/config.yml
  • Dockerfile
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch infra-security/node-24-eol-2026-04-24

Comment @coderabbitai help to get the list of available commands and usage tips.

@clintonAbridge @claude
fix: correct Chainguard FIPS image path
2abc127 
Remove the `chainguard-private/` segment — not present in Abridge's
Chainguard subscription. The canonical path is `abridge.com/node-fips`
(same path used by the already-migrated clinician-web/main). The
digest is unchanged and valid against the canonical path.

Verified via:
  docker pull us-docker.pkg.dev/abridge-artifact-registry/cgr/abridge.com/node-fips:24@sha256:2ce422dd44b26b25d0dcca2cf9e3c06b6ded78517d5fea7be5ff4a81aa0df54e
  # → node v24.15.0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@clintonAbridge