Skip to content

chore: upgrade base image from node:20-slim (EOL) to node:22-slim #117

Description

@bcdady

Summary

Node.js 20 ("Iron") reached end-of-life on April 30, 2026 and no longer receives security patches. The Dockerfile currently uses node:20-slim as the base image for all three build stages.

Affected file

# Dockerfile, line 1
FROM node:20-slim AS base

Impact

  • The runtime container will not receive OS-level or Node.js security patches going forward.
  • Several of the high-severity CVEs surfaced by npm audit on this repo are attributable to packages that have been patched in newer Node.js releases or whose fixes depend on a supported runtime.
  • Docker Hub already marks node:20 images as EOL in its vulnerability scanning.

Suggested fix

Replace the base image with the current Active LTS version:

FROM node:22-slim AS base

Node 22 ("Jod") is in Active LTS and receives security patches through April 2027. Note: devDependencies already references "@types/node": "^22.14.1", so the types and runtime would be consistent after this change.

Additional context

Discovered during a security intake review against the Subsplash MCP Server Security Runbook. Happy to submit a PR if helpful.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions