Fix/docker vulnerabilities

[DeepakNemad]

• Fixes openssl package version update from openssl=3.3.3-r0 to openssl=3.3.6-r0

Summary by CodeRabbit

• Chores
  • Upgraded containerized services to Node.js 24 with Alpine 3.21 for improved performance and security.
  • Pinned critical system dependencies (OpenSSL 3.3.6) across all services for enhanced stability.
  • Optimized container startup by removing redundant database operations from runtime initialization.
  • Enforced non-root user execution in containers for improved security posture.
  • Updated npm dependencies, including runtime packages (multer, TypeORM, Puppeteer, pg, Winston) and development tools (TypeScript, ESLint, Jest, Prettier, OpenTelemetry packages).

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: de626b56-1413-46aa-8d37-8f104cce6e7a

📥 Commits

Reviewing files that changed from the base of the PR and between 7eb63c6 and 718c965.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (20)

• Dockerfiles/Dockerfile.agent-provisioning
• Dockerfiles/Dockerfile.agent-service
• Dockerfiles/Dockerfile.api-gateway
• Dockerfiles/Dockerfile.cloud-wallet
• Dockerfiles/Dockerfile.connection
• Dockerfiles/Dockerfile.ecosystem
• Dockerfiles/Dockerfile.geolocation
• Dockerfiles/Dockerfile.issuance
• Dockerfiles/Dockerfile.ledger
• Dockerfiles/Dockerfile.notification
• Dockerfiles/Dockerfile.oid4vc-issuance
• Dockerfiles/Dockerfile.oid4vc-verification
• Dockerfiles/Dockerfile.organization
• Dockerfiles/Dockerfile.seed
• Dockerfiles/Dockerfile.user
• Dockerfiles/Dockerfile.utility
• Dockerfiles/Dockerfile.verification
• Dockerfiles/Dockerfile.webhook
• Dockerfiles/Dockerfile.x509
• package.json

---

📝 Walkthrough

Walkthrough

Upgraded Node.js base images from v18 to v24 across 17 Dockerfiles, pinned OpenSSL and pnpm versions, enforced frozen lockfiles, added non-root user execution, and removed runtime Prisma commands. Updated package.json dependencies including multer, typeorm, and dev tooling.

Changes

Cohort / File(s)	Summary
Node.js and OpenSSL Base Image Updates Dockerfiles/Dockerfile.agent-provisioning, Dockerfile.agent-service, Dockerfile.api-gateway, Dockerfile.cloud-wallet, Dockerfile.connection, Dockerfile.ecosystem, Dockerfile.geolocation, Dockerfile.issuance, Dockerfile.ledger, Dockerfile.notification, Dockerfile.oid4vc-issuance, Dockerfile.oid4vc-verification, Dockerfile.organization, Dockerfile.seed, Dockerfile.user, Dockerfile.utility, Dockerfile.verification, Dockerfile.webhook, Dockerfile.x509	Updated base images from node:18-alpine to node:24-alpine3.21 and pinned OpenSSL to 3.3.6-r0 across all stages. Added Alpine package updates/upgrades and cache cleanup.
pnpm and Dependency Installation Standardization Dockerfiles/Dockerfile.* (all 17 files)	Pinned pnpm to 9.15.3, enforced frozen lockfiles with pnpm i --frozen-lockfile --ignore-scripts, and added pnpm prune --prod in build stages. Changed from copying only package.json to also copying pnpm-lock.yaml.
Runtime Security and Startup Simplification Dockerfiles/Dockerfile.* (all 17 files)	Added non-root user creation (nextjs with UID/GID 1001) and removed runtime Prisma migrate/generate commands. Simplified container startup from shell wrappers to direct Node execution.
Dependency Version Updates package.json	Upgraded runtime dependencies (multer 1.4.5-lts.1 → ^2.0.2, typeorm ^0.3.10 → ^0.3.28, puppeteer ^21.5.0 → ^21.11.0, pg ^8.16.3 → ^8.18.0, winston 3.4 → ~3.4.0, and others) and dev tooling (TypeScript ^5.1.6 → ^5.9.3, ESLint, Jest, Prettier, ts-jest, and related packages).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Updated vulnerable packages  #1573: Makes identical code-level changes to Dockerfiles including base image upgrades to node:24-alpine3.21, OpenSSL pinning, and pnpm/runtime modifications across services.
• feat: OID4VC, OID4VP and X509 capabilities - experimental feature #1517: Overlapping Dockerfile updates for x509 and OID4VC services, implementing the same Node 24 upgrade, non-root user setup, and removal of runtime Prisma steps.

Suggested labels

enhancement

Suggested reviewers

• KambleSahil3
• ajile-in

Poem

🐰 Hops of joy through Node's new halls,
Version twenty-four now calls,
Security locks where needed most,
Frozen lockfiles—our sturdy post,
Non-root users keep us snug,
Startup swift—a developer's hug! 🎉

Important

Merge conflicts detected (Beta)

• Resolve merge conflict in branch fix/docker-vulnerabilities

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/docker-vulnerabilities

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud