Update Node.js base image: 20,22,24

.grype.yaml

@@ -5,7 +5,21 @@ ignore:
     reason: "Node 20: npm patched but not yet available in Node 20 base images"
   - vulnerability: GHSA-29xp-372q-xqph
     reason: "Node 24: Node-tar patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-83g3-92jg-28cx
+    reason: "Node 20: Node-tar patched but not yet available in Node.js base images, issue not exploitable in npm context"
+  - vulnerability: GHSA-8qq5-rm4j-mr97
+    reason: "Node 20: Node-tar patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-r6q2-hw4h-h46w
+    reason: "Node 20: Node-tar patched but not yet available in Node.js base images"    
   - vulnerability: GHSA-5j98-mcp5-4vw2
     reason: "Node 20: Node-glob patched but not yet available in Node.js base images, issue not exploitable in npm context"
   - vulnerability: CVE-2025-60876
     reason: "Alpine BusyBox: No fix available"
+  - vulnerability: GHSA-34x7-hfp2-rc4v
+    reason: "Node 20,22: Node-tar patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-7h2j-956f-4vf2
+    reason: "Node 24: brace-expansion patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-v6h2-p8h4-qcjw
+    reason: "Node 20,22: brace-expansion patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-3ppc-4f35-3m26
+    reason: "Node 22: minimatch patched but not yet available in Node.js base images"

.trivyignore

@@ -6,6 +6,10 @@ CVE-2024-21538
 
 # Node 24: node-tar patched but not yet available in Node.js base images
 CVE-2025-64118
+CVE-2026-24842
+CVE-2026-26960
+CVE-2026-23745
+CVE-2026-23950
 
 # Node 20: Node-glob patched but not yet available in Node.js base images, issue not exploitable in npm context
 CVE-2025-64756
@@ -15,3 +19,12 @@ CVE-2024-58251
 
 # Alpine: SSL client, no fix available
 CVE-2025-46394
+
+# Node 24: brace-expansion patched but not yet available in Node.js base images
+CVE-2026-25547
+
+# Node 24: minimatch patched but not yet available in Node.js base images
+CVE-2026-26996
+
+# Node 22: jsdiff patched but not yet available in Node.js base images
+CVE-2026-24001

Dockerfile

@@ -1,6 +1,6 @@
 # Set default values for build arguments
-ARG DEFRA_VERSION=3.0.0
-ARG BASE_VERSION=24.12.0-alpine3.23
+ARG DEFRA_VERSION=3.0.1
+ARG BASE_VERSION=24.13.1-alpine3.23
 
 FROM node:$BASE_VERSION AS production
 

JOB.env

@@ -1,2 +1,2 @@
-DEFRA_VERSION=3.0.0
+DEFRA_VERSION=3.0.1
 IMAGE_NAME=node

README.md

@@ -14,9 +14,9 @@ The following table lists the versions of node available, and the parent Node.js
 
 | Node version  | Parent image       |
 | ------------- | -----------------  |
-| 20.19.6       | 20.19.6-alpine3.23 |
-| 22.21.1       | 22.21.1-alpine3.23 |
-| 24.12.0       | 24.12.0-alpine3.23 |
+| 20.20.0       | 20.20.0-alpine3.23 |
+| 22.22.0       | 22.22.0-alpine3.23 |
+| 24.13.1       | 24.13.1-alpine3.23 |
 
 Two parent images are created for each version:
 

image-matrix.json

@@ -1,5 +1,5 @@
  [
-    {"nodeVersion": "20.19.6", "alpineVersion": "3.23", "tags": ["latest-20"]},
-    {"nodeVersion": "22.21.1", "alpineVersion": "3.23", "tags": ["latest-22"]},
-    {"nodeVersion": "24.12.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
+    {"nodeVersion": "20.20.0", "alpineVersion": "3.23", "tags": ["latest-20"]},
+    {"nodeVersion": "22.22.0", "alpineVersion": "3.23", "tags": ["latest-22"]},
+    {"nodeVersion": "24.13.1", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
 ]