Skip to content

chore: normalize Node version declarations to .nvmrc source of truth [AIS-54]#11036

Open
ethan ozelius (ethan-ozelius-contentful) wants to merge 1 commit into
masterfrom
migrate/node-normalization
Open

chore: normalize Node version declarations to .nvmrc source of truth [AIS-54]#11036
ethan ozelius (ethan-ozelius-contentful) wants to merge 1 commit into
masterfrom
migrate/node-normalization

Conversation

@ethan-ozelius-contentful

@ethan-ozelius-contentful ethan ozelius (ethan-ozelius-contentful) commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

This PR was generated by ai-repo-migrator as part of the fleet-wide Node normalization initiative (AIS-54).

What changed

  • .nvmrc is now the single source of truth for the Node version
  • GitHub Actions workflows read from node-version-file: .nvmrc instead of a hardcoded version
  • Dockerfile uses ARG NODE_VERSION sourced from .nvmrc
  • engines.node and volta.node in package.json are aligned to the same version

Why

Collapsing ~2.7 declaration sites per repo to one means future Node CVE bumps are a single-file change per repo, opened automatically by Renovate. See AIS-54 for full context.

@wiz-inc-38d59fb8d7

wiz-inc-38d59fb8d7 Bot commented Jun 26, 2026

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations 1 High
SAST Finding SAST Findings -
Software Management Finding Software Management Findings -
Total 1 High

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

@@ -1,4 +1,5 @@
FROM node:21-alpine AS base
ARG NODE_VERSION
FROM node:${NODE_VERSION}-alpine AS base

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High IaC Finding

Missing User Instruction
on resource FROM node:${NODE_VERSION}-alpine AS base

More Details
This rule checks whether a `USER` instruction is specified in the Dockerfile. The rule fails when the `USER` instruction is missing, causing the container to run with root privileges (UID 0). If an attacker compromises an application running as root, they gain the privileges needed to potentially escape the container and attack the host node. It also increases the blast radius of a breach, allowing full control to modify files or install malware within the container. Enforcing a non-root user is a fundamental security measure that minimizes the attack surface and contains the impact of a potential compromise.

Expected

The Dockerfile stage should contain the 'USER' instruction

Found

The Dockerfile stage does not contain any 'USER' instruction

Rule ID: b92f539f-06cf-49ba-8beb-7be068868ecb


To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

# pull official base image
FROM node:20-buster-slim
ARG NODE_VERSION
FROM node:${NODE_VERSION}-buster-slim

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is even going on?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant