Skip to content

chore: Harden API image Node.js runtime install#30497

Merged
asukaminato0721 merged 3 commits intomainfrom
562e-create-a-pr-for
Jan 5, 2026
Merged

chore: Harden API image Node.js runtime install#30497
asukaminato0721 merged 3 commits intomainfrom
562e-create-a-pr-for

Conversation

@laipz8200
Copy link
Member

@laipz8200 laipz8200 commented Jan 4, 2026
edited
Loading

Important

  1. Make sure you have read our contribution guidelines
  2. Ensure there is an associated issue and you have been assigned to it
  3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

Screenshots

Before After
... ...

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran dev/reformat(backend) and cd web && npx lint-staged(frontend) to appease the lint gods
@laipz8200
Updated the API image to install Node.js 20 so the bundled undici com…
0264059 
…es from the 6.x line (Node 20/22), rather than the 5.x line (Node 18). ([npmjs.com](https://www.npmjs.com/undici?utm_source=openai)) - `api/Dockerfile`: added NodeSource repo setup and switched the `nodejs` install to Node 20. CVE-2023-24807 is a ReDoS in undici `Headers.set()`/`Headers.append()` and affects undici versions before 5.19.1. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-24807)) Based on the undici LTS/bundling table, Node 20 should bundle undici 6.x, which is newer than 5.19.1 and thus outside the affected range (inference). ([npmjs.com](https://www.npmjs.com/undici?utm_source=openai)) Tests not run (Dockerfile change only). Next steps: 1. Rebuild the API image and verify `node -p "process.versions.undici"` is >= 5.19.1. 2. Re-run your Docker Scout scan.
@laipz8200
I updated the API Dockerfile to address both findings by verifying th…
f6c1e96 
…e NodeSource key fingerprint before trusting it and pinning the exact `nodejs` package version so builds are deterministic. This keeps NodeSource (for Node 20) while tightening supply‑chain trust. - Added `ARG` pins and fingerprint check, then install `nodejs=${NODE_PACKAGE_VERSION}` in `api/Dockerfile`. - NodeSource key is now verified against `NODESOURCE_KEY_FPR` before it’s written to `/etc/apt/keyrings`. Tests not run (Dockerfile change only). If there’s no hard requirement for NodeSource, I can switch to Debian’s `nodejs` packages instead to reduce the trusted supply chain surface. Next steps: 1. Rebuild the API image to confirm the pinned version is available and installs cleanly. 2. Let me know if you want to drop NodeSource and use Debian’s `nodejs` packages instead.
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Jan 4, 2026

Summary of Changes

Hello @laipz8200, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the robustness and security of the API Docker image by upgrading the Node.js runtime to version 20 and implementing a more secure and reproducible installation method. By leveraging NodeSource with GPG key verification and version pinning, the changes mitigate risks associated with untrusted package sources and ensure consistent build outcomes.

Highlights

  • Node.js Version Upgrade: The API Docker image now installs Node.js version 20, specifically 20.19.6-1nodesource1, ensuring the use of a recent and stable runtime.
  • Secure Node.js Installation: The installation process has been hardened by fetching Node.js from NodeSource, verifying the GPG signing key fingerprint (6F71F525282841EEDAF851B42F59B5F99B1BE0B4), and adding the repository securely.
  • Reproducible Builds: The Node.js package version is now explicitly pinned, which helps ensure reproducible builds of the API image across different environments and times.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@laipz8200 laipz8200 changed the title Harden API image Node.js runtime install chore: Harden API image Node.js runtime install Jan 4, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 4, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

The pull request modifies the api/Dockerfile to enhance the Node.js installation process. It introduces specific arguments for NODE_MAJOR, NODE_PACKAGE_VERSION, and NODESOURCE_KEY_FPR to control the Node.js version. The changes involve setting up the official NodeSource APT repository by installing ca-certificates, curl, and gnupg, downloading and verifying the NodeSource GPG key, and then installing a precise version of Node.js from this repository, rather than relying on the default distribution's package.
@laipz8200 laipz8200 marked this pull request as ready for review January 5, 2026 07:16
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. dependencies Pull requests that update a dependency file labels Jan 5, 2026
QuantumGhost
QuantumGhost previously approved these changes Jan 5, 2026
View reviewed changes
Copy link
Collaborator

@QuantumGhost QuantumGhost left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM generally.

However, the EOL of Node.js v20 LTS is 2026-04-30. IMO it's better to upgrade the node.js version to 22.
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jan 5, 2026
@crazywoola
Copy link
Member

crazywoola commented Jan 5, 2026

LGTM generally.

However, the EOL of Node.js v20 LTS is 2026-04-30. IMO it's better to upgrade the node.js version to 22.

Agree
@laipz8200
Copy link
Member Author

laipz8200 commented Jan 5, 2026

@crazywoola @QuantumGhost

Thank you for the advice. I've upgraded Node.js to 22.
@asukaminato0721 asukaminato0721 self-requested a review January 5, 2026 12:19
@asukaminato0721 asukaminato0721 merged commit de62627 into main Jan 5, 2026
19 checks passed
@asukaminato0721 asukaminato0721 deleted the 562e-create-a-pr-for branch January 5, 2026 12:19
@dosubot dosubot bot mentioned this pull request Jan 13, 2026
Closed
6 tasks
GareArc pushed a commit that referenced this pull request Jan 16, 2026
@laipz8200 @GareArc
chore: Harden API image Node.js runtime install (#30497)
9b0984e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

4 participants

@laipz8200 @crazywoola @QuantumGhost @asukaminato0721