Use non-vulnerable version of Node.js 20.x in Dockerfile

[trivikr]

Describe the Feature

I noticed that social-app uses node:20.11-alpine3.18 which has 13 vulnerabilities.
Search results: https://github.com/search?q=repo%3Abluesky-social%2Fsocial-app+%22node%3A20.11-alpine3.18%22&type=code

Use a version of Node.js that's not vulnerable, like the latest Node.js 20.x alpine
List of official images https://hub.docker.com/_/node

Attachments

No response

Describe Alternatives

No response

Additional Context

No response

[trivikr]

I looked into history, and social-app seems to use node:20.11-alpine3.18 because PDS uses it?
https://github.com/bluesky-social/atproto/blob/c34426fc55e8b9f28d9b1d64eab081985d1b47b5/services/pds/Dockerfile#L3

Pinning alpine3.18 was done in PDS because of incompatibility with sharp in Dec'23 in bluesky-social/atproto#1976. At that time, PDS used sharp@0.32.6 https://github.com/bluesky-social/atproto/blob/a2a07f1e6350a11d009b83551381b1994aef897c/pnpm-lock.yaml#L10499-L10512

[trivikr]

The social-app uses sharp@0.32.6

social-app/yarn.lock

Lines 19525 to 19537 in 05312cc

	sharp@^0.32.6:
	version "0.32.6"
	resolved "https://registry.yarnpkg.com/sharp/-/sharp-0.32.6.tgz#6ad30c0b7cd910df65d5f355f774aa4fce45732a"
	integrity sha512-KyLTWwgcR9Oe4d9HwCwNM2l7+J0dUQwn/yf7S0EnTtb0eVS4RxO0eUSvxPtzT4F3SY+C4K6fqdv/DO27sJ/v/w==
	dependencies:
	color "^4.2.3"
	detect-libc "^2.0.2"
	node-addon-api "^6.1.0"
	prebuild-install "^7.1.1"
	semver "^7.5.4"
	simple-get "^4.0.1"
	tar-fs "^3.0.4"
	tunnel-agent "^0.6.0"

It appears to be safe to upgrade to node:20-alpine3.18

[trivikr]

It appears to be safe to upgrade to node:20-alpine3.18

The alpine3.18 was dropped in nodejs/docker-node#2085

The last release is 20.13.1-alpine3.18 which is also vulnerable.

[trivikr]

I believe the fix is to upgrade sharp to 0.33.x and use compatible alpine variant.

[trivikr]

I looked into some GitHub issues linked in docker-node, and it looks like sharp@0.33.x and alpine-3.19 are compatible
HSLdevcom/digitransit-ui#5005

[trivikr]

I don't see any issue with sharp@0.32 and alpine-3.18

$ docker run --rm node:20-alpine3.18 npm install -g sharp@0.31

added 43 packages in 4s

10 packages are looking for funding
  run `npm fund` for details
npm notice 
npm notice New minor version of npm available! 10.5.2 -> 10.9.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.9.0>
npm notice Run `npm install -g npm@10.9.0` to update!
npm notice

$ docker run --rm node:20-alpine3.18 npm install -g sharp@0.32

added 55 packages in 4s

10 packages are looking for funding
  run `npm fund` for details
npm notice 
npm notice New minor version of npm available! 10.5.2 -> 10.9.0
npm notice Changelog: <https://github.com/npm/cli/releases/tag/v10.9.0>
npm notice Run `npm install -g npm@10.9.0` to update!
npm notice

[trivikr]

The sharp@0.32.6 requires libvips@8.14.5
https://github.com/lovell/sharp/blob/eefaa998725cf345227d94b40615e090495c6d09/package.json#L162

But alpine-3.19 includes libvips@8.15.0
https://pkgs.alpinelinux.org/packages?name=vips-dev&branch=v3.19

That could cause some issues, although not reproducible with simple npm install
Refs: nodejs/docker-node#2009 (comment)

[trivikr]

Looks like sharp dependency needs to be updated to 0.33.x first.

It comes from @atproto/dev-env

$ yarn why sharp
...
=> Found "sharp@0.32.6"
info Reasons this module exists
   - "@atproto#dev-env#@atproto#bsky" depends on it
   - Hoisted from "@atproto#dev-env#@atproto#bsky#sharp"
   - Hoisted from "@atproto#dev-env#@atproto#pds#sharp"

It was updated in PR bluesky-social/atproto#2958, and social-app will get it when upgrading to:

• @atproto/bsky@0.0.93
• @atproto/dev-env@0.3.61
• @atproto/pds@0.4.70

[trivikr]

Bumping to node:20-alpine3.19 can be posted after #6652 is merged which updates sharp to 0.33.5