fix: resolve critical vulnerabilities and upgrade Docker base image

[DeepakNemad]

Security Updates:

• Update protobufjs 7.5.4→7.5.6 (CVE-2026-41242 RCE fix)
• Update handlebars 4.7.8→4.7.9 (CVE-2026-33937 template injection)
• Update form-data 2.3.3→4.0.5 (CVE-2025-7783 critical fix)
• Update winston 3.4.0→3.19.0, express 4.22.1→5.2.1
• Update helmet 7.2.0→8.1.0, bcrypt 5.1.1→6.0.0
• Update validator, unzipper, supertest to latest secure versions

Dependency Management:

• Add explicit versions for protobufjs, handlebars, form-data to package.json
• Force secure versions of transitive dependencies via dependency pinning
• Prevent vulnerable versions from being pulled by parent packages

Infrastructure:

• Upgrade Docker base image: node:24-alpine3.21 → node:24-alpine3.23
• Improve container security with latest Alpine Linux patches

Summary by CodeRabbit

Chores

• Updated Docker base images to Alpine 3.23 across all microservices for improved stability
• Upgraded multiple dependencies including major updates to Express (v5), Helmet (v8), Axios, Bcrypt, Validator, and Winston

[coderabbitai]

Warning

Rate limit exceeded

@DeepakNemad has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 50 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f2b48cab-babd-4203-a5b3-48a8bdfbde31

📥 Commits

Reviewing files that changed from the base of the PR and between 0c12bd1 and af81fd2.

📒 Files selected for processing (1)

• package.json

📝 Walkthrough

Walkthrough

This PR updates Node.js Alpine base images from version 3.21 to 3.23 across 16 Dockerfiles and bumps npm package versions including express (v4→v5), axios, bcrypt, helmet, winston, and test dependencies.

Changes

Docker Base Image Updates

Layer / File(s)	Summary
Build Stage Images Dockerfiles/Dockerfile.* (17 files)	All build stages updated from node:24-alpine3.21 to node:24-alpine3.23.
Runtime Stage Images Dockerfiles/Dockerfile.* (15 files)	All final runtime stages updated from node:24-alpine3.21 to node:24-alpine3.23.

NPM Dependency Updates

Layer / File(s)	Summary
Core Dependencies package.json	Major version upgrades: express (^4.22.1 → ^5.2.1), bcrypt (^5.1.1 → ^6.0.0), winston (~3.4.0 → ^3.19.0). Minor/patch updates: axios (^1.13.5 → ^1.16.0), helmet (^7.2.0 → ^8.1.0), unzipper (^0.10.14 → ^0.12.3), validator (^13.15.26 → ^13.15.35).
Dev Dependencies package.json	supertest upgraded from ^6.3.4 to ^7.2.2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• credebl/platform#1573: Prior PR moved Dockerfile base images to node:24-alpine3.21; this PR further upgrades them to node:24-alpine3.23.

Suggested reviewers

• ajile-in
• RinkalBhojani
• KambleSahil3

Poem

🐰 Hops of joy for base images new,
Alpine 3.23, shiny and bright,
Express leaps from four to five in flight,
Dependencies dance in version delight!
🚀✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: resolving critical vulnerabilities through package updates and upgrading Docker base images from alpine3.21 to alpine3.23.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/fix-high-critical-vulnerabilities

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

Dockerfiles/Dockerfile.agent-service (1)

36-36: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix typo in Prisma migrate command in agent-service startup.

Line 36 uses deployy which is not a valid Prisma subcommand and will fail at runtime, blocking container startup and preventing migrations. Change to deploy.

Proposed fix

-CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deployy && cd ../.. && node dist/apps/agent-service/main.js"]
+CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && cd ../.. && node dist/apps/agent-service/main.js"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfiles/Dockerfile.agent-service` at line 36, The CMD in the container
startup contains a typo: the Prisma subcommand is written as "deployy" which
will fail; update the startup command string used in the Docker CMD (the line
that runs cd libs/prisma-service && npx prisma migrate deployy && ...) to use
the correct Prisma command "migrate deploy" (replace "deployy" with "deploy") so
migrations run successfully before launching node
dist/apps/agent-service/main.js.

Dockerfiles/Dockerfile.agent-provisioning (1)

41-83: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Run the final image as non-root to avoid privileged runtime by default.

This Dockerfile lacks a USER directive in the runtime stage, unlike all 16 other Dockerfiles in this codebase. Add USER nextjs after adjusting ownership of /app to maintain consistency with the established hardening pattern.

Suggested patch

 FROM  node:24-alpine3.23
@@
 RUN set -eux \
     && apk --no-cache add \
         openssh-client \
         aws-cli \
         docker \
         docker-compose \
         jq \
     && npm install -g pnpm --ignore-scripts \
     && export PATH=$PATH:/usr/lib/node_modules/pnpm/bin \
+    && addgroup -g 1001 -S nodejs \
+    && adduser -S nextjs -u 1001 -G nodejs \
     && rm -rf /var/cache/apk/*
@@
 COPY libs/ ./libs/
+
+RUN chown -R nextjs:nodejs /app
+USER nextjs
@@
 CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && npx prisma generate && cd ../.. && node dist/apps/agent-provisioning/main.js"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfiles/Dockerfile.agent-provisioning` around lines 41 - 83, Add a
non-root runtime user and adjust ownership of /app: create or ensure the
"nextjs" user exists in the runtime image, chown -R /app to nextjs (and any
created dirs like /app/agent-provisioning/AFJ) and then add a USER nextjs line
before the final CMD so the container runs unprivileged; keep the existing chmod
lines but perform chown (e.g., chown -R nextjs:nextjs /app) before switching to
USER nextjs and ensure any commands in CMD (npx prisma, node dist/...) still run
as that user.

package.json (1)

139-139: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

@types/express must be bumped to v5 to match the runtime upgrade to Express 5

@types/express@^4.17.25 (line 139) provides Express 4 type definitions while the production runtime is express@^5.2.1 (line 80). The current latest @types/express is 5.0.6. Using v4 types with Express 5 causes incompatibility and TypeScript compilation errors due to mismatched API surface.

🛠️ Proposed fix

-    "@types/express": "^4.17.25",
+    "@types/express": "^5.0.6",

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 139, The package.json entry for the TypeScript types is
outdated: replace the dependency "@types/express": "^4.17.25" with the Express 5
compatible version (e.g., "^5.0.6") so the `@types` package matches the runtime
express@^5.2.1; update the dependency string for "@types/express" in
package.json and run your install (or yarn/npm lockfile update) to ensure types
and runtime are aligned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 131: The dependency range for protobufjs in package.json currently allows
the vulnerable 7.5.5; update the version specifier from "protobufjs": "^7.5.5"
to a range that floors at 7.5.6 (for example "protobufjs": "^7.5.6" or ">=7.5.6
<8.0.0") so package managers cannot install 7.5.5; modify the protobufjs entry
in package.json (the dependency key "protobufjs") and then run your lockfile
update (pnpm install / pnpm update protobufjs) to regenerate the lockfile.
- Line 133: The dependency entry "form-data": "^4.0.4" in package.json allows
the vulnerable 4.0.4 to be installed; update the version spec to require at
least 4.0.5 (e.g. change the dependency value for "form-data" from "^4.0.4" to
"^4.0.5" or ">=4.0.5") so the package manager cannot resolve to the vulnerable
4.0.4 release.

---

Outside diff comments:
In `@Dockerfiles/Dockerfile.agent-provisioning`:
- Around line 41-83: Add a non-root runtime user and adjust ownership of /app:
create or ensure the "nextjs" user exists in the runtime image, chown -R /app to
nextjs (and any created dirs like /app/agent-provisioning/AFJ) and then add a
USER nextjs line before the final CMD so the container runs unprivileged; keep
the existing chmod lines but perform chown (e.g., chown -R nextjs:nextjs /app)
before switching to USER nextjs and ensure any commands in CMD (npx prisma, node
dist/...) still run as that user.

In `@Dockerfiles/Dockerfile.agent-service`:
- Line 36: The CMD in the container startup contains a typo: the Prisma
subcommand is written as "deployy" which will fail; update the startup command
string used in the Docker CMD (the line that runs cd libs/prisma-service && npx
prisma migrate deployy && ...) to use the correct Prisma command "migrate
deploy" (replace "deployy" with "deploy") so migrations run successfully before
launching node dist/apps/agent-service/main.js.

In `@package.json`:
- Line 139: The package.json entry for the TypeScript types is outdated: replace
the dependency "@types/express": "^4.17.25" with the Express 5 compatible
version (e.g., "^5.0.6") so the `@types` package matches the runtime
express@^5.2.1; update the dependency string for "@types/express" in
package.json and run your install (or yarn/npm lockfile update) to ensure types
and runtime are aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efde2fe1-bb07-4599-b7fa-5a1733eef3e9

📥 Commits

Reviewing files that changed from the base of the PR and between da84943 and 0c12bd1.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (20)

• Dockerfiles/Dockerfile.agent-provisioning
• Dockerfiles/Dockerfile.agent-service
• Dockerfiles/Dockerfile.api-gateway
• Dockerfiles/Dockerfile.cloud-wallet
• Dockerfiles/Dockerfile.connection
• Dockerfiles/Dockerfile.ecosystem
• Dockerfiles/Dockerfile.geolocation
• Dockerfiles/Dockerfile.issuance
• Dockerfiles/Dockerfile.ledger
• Dockerfiles/Dockerfile.notification
• Dockerfiles/Dockerfile.oid4vc-issuance
• Dockerfiles/Dockerfile.oid4vc-verification
• Dockerfiles/Dockerfile.organization
• Dockerfiles/Dockerfile.seed
• Dockerfiles/Dockerfile.user
• Dockerfiles/Dockerfile.utility
• Dockerfiles/Dockerfile.verification
• Dockerfiles/Dockerfile.webhook
• Dockerfiles/Dockerfile.x509
• package.json

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud