Update Node.js base image: 20,22,24 (#126)

docker-parent-image-bot[bot] · web-flow · commit b036a97576ca · 2026-03-30T12:24:51.000+01:00
diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
@@ -103,7 +103,7 @@ jobs:
       - name: Run Aqua Trivy scan
         id: trivy-scan
         if: ${{ matrix.target == 'production' }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           input: image-${{ matrix.image.nodeVersion }}.tar
           scan-type: image
diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Run Aqua Trivy scan
         id: trivy-scan
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}}
           format: sarif
diff --git a/.grype.yaml b/.grype.yaml
@@ -35,3 +35,9 @@ ignore:
     reason: "Node 24: tar patched but not yet available in Node.js base images"
   - vulnerability: CVE-2026-2673
     reason: "Alpine libcrypto: No fix available"
+  - vulnerability: GHSA-c2c7-rcm5-vvqj
+    reason: "Node 22: picomatch patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-f886-m6hf-6m8v
+    reason: "Node 20: brace-expansion patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-3v7f-55p6-f55p
+    reason: "Node 22: picomatch patched but not yet available in Node.js base images"
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Set default values for build arguments
-ARG DEFRA_VERSION=3.0.4
-ARG BASE_VERSION=24.14.0-alpine3.23
+ARG DEFRA_VERSION=3.0.5
+ARG BASE_VERSION=24.14.1-alpine3.23
 
 FROM node:$BASE_VERSION AS production
 
diff --git a/JOB.env b/JOB.env
@@ -1,2 +1,2 @@
-DEFRA_VERSION=3.0.4
+DEFRA_VERSION=3.0.5
 IMAGE_NAME=node
diff --git a/README.md b/README.md
@@ -14,9 +14,9 @@ The following table lists the versions of node available, and the parent Node.js
 
 | Node version  | Parent image       |
 | ------------- | -----------------  |
-| 20.20.1       | 20.20.1-alpine3.23 |
-| 22.22.1       | 22.22.1-alpine3.23 |
-| 24.14.0       | 24.14.0-alpine3.23 |
+| 20.20.2       | 20.20.2-alpine3.23 |
+| 22.22.2       | 22.22.2-alpine3.23 |
+| 24.14.1       | 24.14.1-alpine3.23 |
 
 Two parent images are created for each version:
 
diff --git a/image-matrix.json b/image-matrix.json
@@ -1,5 +1,5 @@
  [
-    {"nodeVersion": "20.20.1", "alpineVersion": "3.23", "tags": ["latest-20"]},
-    {"nodeVersion": "22.22.1", "alpineVersion": "3.23", "tags": ["latest-22"]},
-    {"nodeVersion": "24.14.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
+    {"nodeVersion": "20.20.2", "alpineVersion": "3.23", "tags": ["latest-20"]},
+    {"nodeVersion": "22.22.2", "alpineVersion": "3.23", "tags": ["latest-22"]},
+    {"nodeVersion": "24.14.1", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
 ]

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-DEFRA_VERSION=3.0.4`
	`1`	`+DEFRA_VERSION=3.0.5`
`2`	`2`	`IMAGE_NAME=node`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`[`
`2`		`- {"nodeVersion": "20.20.1", "alpineVersion": "3.23", "tags": ["latest-20"]},`
`3`		`- {"nodeVersion": "22.22.1", "alpineVersion": "3.23", "tags": ["latest-22"]},`
`4`		`- {"nodeVersion": "24.14.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}`
	`2`	`+ {"nodeVersion": "20.20.2", "alpineVersion": "3.23", "tags": ["latest-20"]},`
	`3`	`+ {"nodeVersion": "22.22.2", "alpineVersion": "3.23", "tags": ["latest-22"]},`
	`4`	`+ {"nodeVersion": "24.14.1", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}`
`5`	`5`	`]`