Summary
Node.js 20 ("Iron") reached end-of-life on April 30, 2026 and no longer receives security patches. The Dockerfile currently uses node:20-slim as the base image for all three build stages.
Affected file
# Dockerfile, line 1
FROM node:20-slim AS base
Impact
- The runtime container will not receive OS-level or Node.js security patches going forward.
- Several of the high-severity CVEs surfaced by
npm audit on this repo are attributable to packages that have been patched in newer Node.js releases or whose fixes depend on a supported runtime.
- Docker Hub already marks
node:20 images as EOL in its vulnerability scanning.
Suggested fix
Replace the base image with the current Active LTS version:
FROM node:22-slim AS base
Node 22 ("Jod") is in Active LTS and receives security patches through April 2027. Note: devDependencies already references "@types/node": "^22.14.1", so the types and runtime would be consistent after this change.
Additional context
Discovered during a security intake review against the Subsplash MCP Server Security Runbook. Happy to submit a PR if helpful.
Summary
Node.js 20 ("Iron") reached end-of-life on April 30, 2026 and no longer receives security patches. The
Dockerfilecurrently usesnode:20-slimas the base image for all three build stages.Affected file
Impact
npm auditon this repo are attributable to packages that have been patched in newer Node.js releases or whose fixes depend on a supported runtime.node:20images as EOL in its vulnerability scanning.Suggested fix
Replace the base image with the current Active LTS version:
FROM node:22-slim AS baseNode 22 ("Jod") is in Active LTS and receives security patches through April 2027. Note:
devDependenciesalready references"@types/node": "^22.14.1", so the types and runtime would be consistent after this change.Additional context
Discovered during a security intake review against the Subsplash MCP Server Security Runbook. Happy to submit a PR if helpful.