Skip to content

chore(deps): update mcr.microsoft.com/vscode/devcontainers/typescript-node docker tag to v24 #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
red-hat-konflux wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update mcr.microsoft.com/vscode/devcontainers/typescript-node docker tag to v24 #25

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile.plugin
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:16 as build
FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:24 as build

@coderabbitai coderabbitai Bot Jun 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
rg -n '"engines"|"node"|node-gyp|prebuild|npm ci' package.json .devcontainer

Repository: openshift/lightspeed-agentic-console

Length of output: 319

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== files ==\n'
git ls-files .devcontainer/Dockerfile.plugin .devcontainer/devcontainer.json package.json

printf '\n== package.json excerpt ==\n'
if [ -f package.json ]; then
  wc -l package.json
  sed -n '1,220p' package.json
fi

printf '\n== devcontainer files ==\n'
for f in .devcontainer/Dockerfile.plugin .devcontainer/devcontainer.json; do
  if [ -f "$f" ]; then
    echo "--- $f"
    wc -l "$f"
    sed -n '1,220p' "$f"
  fi
done

Repository: openshift/lightspeed-agentic-console

Length of output: 5468

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Search for any Node/version-sensitive tooling or native addon indicators.
rg -n --hidden --glob '!.git' --glob '!**/node_modules/**' \
  'engines|node-gyp|prebuild|prebuildify|node-version|\.nvmrc|\.tool-versions|npm ci|npm install|npm rebuild|sass|sharp|canvas|bcrypt|sqlite3|fsevents' \
  .devcontainer package.json .

Repository: openshift/lightspeed-agentic-console

Length of output: 42724

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== files ==\n'
git ls-files .devcontainer/Dockerfile.plugin .devcontainer/devcontainer.json package.json

printf '\n== package.json excerpt ==\n'
if [ -f package.json ]; then
  wc -l package.json
  sed -n '1,220p' package.json
fi

printf '\n== devcontainer files ==\n'
for f in .devcontainer/Dockerfile.plugin .devcontainer/devcontainer.json; do
  if [ -f "$f" ]; then
    echo "--- $f"
    wc -l "$f"
    sed -n '1,220p' "$f"
  fi
done

Repository: openshift/lightspeed-agentic-console

Length of output: 5468

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Search for any Node/version-sensitive tooling or native addon indicators.
rg -n --hidden --glob '!.git' --glob '!**/node_modules/**' \
  'engines|node-gyp|prebuild|prebuildify|node-version|\.nvmrc|\.tool-versions|npm ci|npm install|npm rebuild|sass|sharp|canvas|bcrypt|sqlite3|fsevents' \
  .devcontainer package.json .

Repository: openshift/lightspeed-agentic-console

Length of output: 42724

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, re, sys
from pathlib import Path

pkg = json.loads(Path("package.json").read_text())
lock = json.loads(Path("package-lock.json").read_text())

print("package.json engines:", pkg.get("engines"))

# Direct dependencies from package.json
deps = {}
for section in ("dependencies", "devDependencies"):
    deps.update(pkg.get(section, {}))

lock_pkgs = lock.get("packages", {})
root = lock_pkgs.get("", {})
print("package-lock root engines:", root.get("engines"))

# Show direct deps that have engine declarations in lockfile.
print("\nDirect deps with engine declarations:")
for name, ver in sorted(deps.items()):
    path = f"node_modules/{name}"
    meta = lock_pkgs.get(path)
    if meta and "engines" in meta:
        print(f"- {name}@{ver}: {meta['engines']}")

# Find any packages whose engines explicitly exclude Node 24.
def excludes_node24(eng):
    if not eng:
        return False
    node = eng.get("node")
    if not node:
        return False
    # Simple conservative checks for common upper-bound patterns.
    s = str(node)
    if re.search(r'(<\s*24(\.0\.0)?\b)|(<\s*25\b)|(\b<=\s*23\b)|(\b<\s*23\b)', s):
        return True
    # exact disallow list patterns like ">=16 <24"
    if re.search(r'<\s*24\b', s):
        return True
    return False

bad = []
for path, meta in lock_pkgs.items():
    if path == "":
        continue
    if excludes_node24(meta.get("engines")):
        bad.append((path, meta.get("engines")))
print("\nPackages with node engine ranges that appear to exclude Node 24:")
for path, eng in bad[:80]:
    print(f"- {path}: {eng}")
print(f"count={len(bad)}")
PY

Repository: openshift/lightspeed-agentic-console

Length of output: 2151

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the root package metadata in package-lock.json for workspace/package manager hints.
python3 - <<'PY'
import json
from pathlib import Path

lock = json.loads(Path("package-lock.json").read_text())
print("lockfileVersion:", lock.get("lockfileVersion"))
print("packages[''] keys:", sorted(lock.get("packages", {}).get("", {}).keys()))
print("root package entry:", json.dumps(lock.get("packages", {}).get("", {}), indent=2)[:3000])
PY

Repository: openshift/lightspeed-agentic-console

Length of output: 2225

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Check whether installs are configured to fail on engine mismatches.
rg -n --hidden --glob '!.git' --glob '!**/node_modules/**' \
  'engine-strict|strict-ssl|npm config|NPM_CONFIG_ENGINE_STRICT|NODE_OPTIONS|npm ci|postCreateCommand|devcontainer' \
  . .devcontainer package.json package-lock.json .npmrc .npmrc* 2>/dev/null || true

printf '\n== npmrc files ==\n'
git ls-files '.npmrc' '.devcontainer/.npmrc' '.npmrc.*' 2>/dev/null || true

Repository: openshift/lightspeed-agentic-console

Length of output: 2730

🌐 Web query:

npm ci engine-strict default behavior package engines warnings fail install official docs

💡 Result:

By default, the engines field in package.json is advisory only and does not cause npm install or npm ci to fail [1]. When the engines requirements are not met, npm will typically emit a warning but proceed with the installation [2][3][1]. The engine-strict configuration flag (default: false) is the mechanism to change this behavior [4][5]. If engine-strict is set to true, npm is instructed to strictly enforce the engines requirements, causing it to refuse to install or proceed if a package is incompatible with the current Node.js or npm version [4][5]. Regarding npm ci specifically: - When engine-strict is enabled (set to true), npm ci is designed to respect this flag and will fail the installation with an EBADENGINE error if the engine requirements are not satisfied [6]. - When engine-strict is false (the default), npm ci will generally follow the advisory nature of engines, emitting warnings rather than failing the process [3][1]. If you need to enforce engine compatibility in your project, you can set engine-strict=true in your project's.npmrc file [7][2].

Citations:

🌐 Web query:

npm ci engine-strict default behavior package engines warnings fail install official docs

💡 Result:

The default behavior of the engines field in package.json is purely advisory [1][2]. When engine-strict is set to its default value of false, npm will not fail an installation if a package's engine requirements (e.g., node or npm version) are not met; it will typically only issue a warning [1][2][3]. If you set engine-strict to true (e.g., in a .npmrc file), npm will strictly enforce these requirements and fail the installation—producing an EBADENGINE error—if the current environment does not satisfy them [4][5][6]. Key considerations regarding this behavior: - Scope: The engine-strict configuration flag applies to both npm install and npm ci [5]. - Intent: The engines field is designed to inform users of compatibility requirements, not to act as a hard block during standard operations unless explicitly configured to do so [1][2]. - Overrides: Using the --force flag during installation can override engine-strict behavior, allowing the installation to proceed even if requirements are not met [4]. - Potential Issues: There have been reports and discussions regarding the interaction between engine-strict, devEngines, and different npm versions, where some users have observed inconsistent enforcement [7][5][8]. To enforce environment requirements in a project, it is recommended to set engine-strict=true in a project-level .npmrc file [9][3].

Citations:

Pin Node 22 or update i18next-parser.

i18next-parser is a direct dev dependency and only declares support through Node 22, so this image is outside one of the repo’s toolchain ranges. npm ci won’t fail on engines by default, but the devcontainer is not fully Node 24-compatible yet.

🧰 Tools
🪛 Trivy (0.69.3)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.devcontainer/Dockerfile.plugin at line 1, The devcontainer base image is
using Node 24, which is outside the supported range for the direct dev
dependency i18next-parser. Update the FROM image in Dockerfile.plugin to a Node
22 devcontainer (or, if Node 24 is required, first update i18next-parser/tooling
to a version that explicitly supports it) so the devcontainer stays aligned with
the repo toolchain.

COPY --from=openshift/origin-cli:latest /usr/bin/oc /usr/local/bin/oc