Upgrade to Node 22 and improve security

.github/workflows/ci.yml

@@ -22,14 +22,21 @@ jobs:
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '20.x'
+        node-version: '22.x'
         cache: pnpm
 
     - name: Install dependencies
       run: pnpm install --frozen-lockfile
 
     - name: Build Docker image
       run: pnpm build
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@0.35.0
+      with:
+        image-ref: 'service-stem'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '0'
 
     - name: Upload build artifacts
       uses: actions/upload-artifact@v4

.github/workflows/dependency-check.yml

@@ -21,7 +21,7 @@ jobs:
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '20.x'
+        node-version: '22.x'
         cache: pnpm
 
     - name: Install dependencies
@@ -36,7 +36,7 @@ jobs:
     - name: Run security audit
       id: audit
       run: |
-        pnpm audit --audit-level moderate --format json > audit.json || echo "{}" > audit.json
+        pnpm audit --audit-level high --format json > audit.json || echo "{}" > audit.json
         echo "audit=$(cat audit.json)" >> $GITHUB_OUTPUT
 
     - name: Create issue for outdated dependencies

.github/workflows/lint.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [22.x]
         package-manager: [pnpm]
 
     steps:

.github/workflows/pr-check.yml

@@ -20,7 +20,7 @@ jobs:
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '20.x'
+        node-version: '22.x'
         cache: pnpm
 
     - name: Verify pnpm installation

.github/workflows/test-coverage.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x, 20.x]
+        node-version: [22.x]
         package-manager: [pnpm]
 
     steps:

Dockerfile

@@ -1,5 +1,5 @@
-FROM node:20-alpine AS build
-LABEL MAINTAINER Gaute Rønningen <Gaute.Ronningen@nlb.no> <http://www.nlb.no/>
+FROM node:22.22-alpine3.23 AS build
+LABEL org.opencontainers.image.authors="TL-utviklere@nb.no"
 
 # Install pnpm
 RUN npm install -g pnpm
@@ -16,11 +16,11 @@ RUN pnpm install --frozen-lockfile --prod
 # Bundle app source
 COPY . .
 
-FROM node:20-alpine AS runner
-LABEL MAINTAINER Gaute Rønningen <Gaute.Ronningen@nlb.no> <http://www.nlb.no/>
+FROM node:22.22-alpine3.23 AS runner
+LABEL org.opencontainers.image.authors="TL-utviklere@nb.no"
 
-# Install pnpm in runner stage
-RUN npm install -g pnpm
+# Apply Alpine security updates
+RUN apk upgrade --no-cache
 
 # Create non-root user for security
 RUN addgroup -g 1001 -S nodejs && \
@@ -32,6 +32,9 @@ WORKDIR /usr/src/app
 # Copy built application from build stage
 COPY --from=build --chown=nodejs:nodejs /usr/src/app .
 
+# Remove bundled npm/corepack/yarn node_modules so Trivy does not report their CVEs (we only need node + app at runtime)
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/lib/node_modules/corepack /opt/yarn-v* 2>/dev/null || true
+
 # Switch to non-root user
 USER nodejs
 

package.json

@@ -3,6 +3,9 @@
   "version": "2.0.0",
   "description": "A service to generate text content based on markup",
   "main": "src/index.js",
+  "engines": {
+    "node": ">=22"
+  },
   "dependencies": {
     "@airbrake/node": "^2.1.9",
     "body-parser": "^2.2.0",
@@ -11,7 +14,7 @@
     "dotenv": "^17.2.1",
     "ejs": "^3.1.10",
     "express": "^5.1.0",
-    "fast-xml-parser": "^5.2.5",
+    "fast-xml-parser": "^5.3.6",
     "he": "^1.2.0",
     "jquery": "^3.7.1",
     "jsdom": "^26.1.0",
@@ -56,5 +59,14 @@
     "url": "https://github.com/nlbdev/service-database/issues"
   },
   "homepage": "https://github.com/nlbdev/service-database#readme",
-  "packageManager": "pnpm@10.13.1"
+  "packageManager": "pnpm@10.13.1",
+  "pnpm": {
+    "overrides": {
+      "glob": "10.5.0",
+      "minimatch": "9.0.7",
+      "tar": "7.5.11",
+      "test-exclude": "8.0.0",
+      "trim": ">=0.0.3"
+    }
+  }
 }