chore: set min-release-age for supply chain protection, use latest …

[ALPAC-4]

…npm version

Summary by CodeRabbit

Chores

• Runtime Upgrade: Node.js base runtime updated from version 20 to version 22, providing enhanced performance, improved security patches, and better language feature support
• Build Process: Build configuration enhanced with deterministic package installation methods to ensure reproducible and consistent builds across all environments

[coderabbitai]

Walkthrough

Upgraded Docker base image from Node.js 20 (bullseye) to Node.js 22 (bookworm). Added .npmrc configuration file with min-release-age=7 setting. Modified Dockerfile to copy .npmrc and use npx -y npm@11 ci for deterministic, lockfile-based installs instead of npm install.

Changes

Cohort / File(s)	Summary
NPM Configuration .npmrc	Added min-release-age=7 setting for npm release management.
Docker Infrastructure Dockerfile	Upgraded Node.js base image from 20-bullseye to 22-bookworm; modified dependency install to copy package-lock.json and .npmrc; switched from npm install to npx -y npm@11 ci for deterministic builds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 From Node twenty to twenty-two we hop,
With .npmrc config, no builds will stop!
Lockfiles and bookworm in docker embrace,
npm@11 brings deterministic grace! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: setting min-release-age for supply chain protection and upgrading to use the latest npm version (node:22-bookworm and npm@11).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/supply-chain-protection

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

Dockerfile (3)

9-11: Add --no-install-recommends to reduce attack surface and image bloat.

Suggested change

-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
     python3 make g++ libusb-1.0-0-dev libudev-dev \
  && rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 9 - 11, The RUN apt-get line in the Dockerfile
installs packages without --no-install-recommends; update the RUN command that
executes apt-get install (the line installing python3, make, g++,
libusb-1.0-0-dev, libudev-dev) to include --no-install-recommends to avoid
pulling recommended packages and reduce image size/attack surface while keeping
the existing apt-get update and the trailing rm -rf /var/lib/apt/lists/*
cleanup.

---

14-14: Pin npm to an exact version like npm@11.12.1 instead of npm@11.

Using a floating major version can introduce build drift across different CI runs. Exact version pinning ensures reproducible, stable container builds. The latest stable npm 11.x release is 11.12.1.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 14, Replace the floating npm major in the Dockerfile RUN
line to a fixed exact release to ensure reproducible builds: change the RUN
command that currently uses "RUN npx -y npm@11 ci" so it pins to the exact
version "npm@11.12.1" (keep the npx -y and ci flags intact).

---

1-1: Pin the base image by digest for reproducible and stronger supply-chain builds.

node:22-bookworm is mutable; pinning to a specific digest prevents silent base image drift. Use the current manifest digest from Docker Hub to ensure consistent, reproducible builds across environments.

Suggested change

-FROM node:22-bookworm
+FROM node:22-bookworm@sha256:51870906e4c02a9c8076848dfaca4fd2329630c945e81e06d1cb1a475c042919

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 1, The Dockerfile currently uses the mutable tag "FROM
node:22-bookworm"; replace it with a pinned image digest by querying the Node
image manifest on Docker Hub and updating the FROM line to "FROM
node:22-bookworm@sha256:<current-digest>" (use the actual digest you retrieve)
so builds are reproducible and resistant to base-image drift; ensure you update
the Dockerfile's existing FROM node:22-bookworm entry with that digest and
commit the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Line 37: The container currently runs as root because CMD ["npm", "start"] is
issued without switching users; create a non-root user (e.g., "appuser") and
switch to it with a USER directive before the CMD, ensure ownership/permissions
of the application directory and any runtime files (chown/chmod the app
directory and node_modules to the new user) so npm start can run as that user,
and add the user creation step (and any required group) earlier in the
Dockerfile so the image no longer runs processes as root.

---

Nitpick comments:
In `@Dockerfile`:
- Around line 9-11: The RUN apt-get line in the Dockerfile installs packages
without --no-install-recommends; update the RUN command that executes apt-get
install (the line installing python3, make, g++, libusb-1.0-0-dev, libudev-dev)
to include --no-install-recommends to avoid pulling recommended packages and
reduce image size/attack surface while keeping the existing apt-get update and
the trailing rm -rf /var/lib/apt/lists/* cleanup.
- Line 14: Replace the floating npm major in the Dockerfile RUN line to a fixed
exact release to ensure reproducible builds: change the RUN command that
currently uses "RUN npx -y npm@11 ci" so it pins to the exact version
"npm@11.12.1" (keep the npx -y and ci flags intact).
- Line 1: The Dockerfile currently uses the mutable tag "FROM node:22-bookworm";
replace it with a pinned image digest by querying the Node image manifest on
Docker Hub and updating the FROM line to "FROM
node:22-bookworm@sha256:<current-digest>" (use the actual digest you retrieve)
so builds are reproducible and resistant to base-image drift; ensure you update
the Dockerfile's existing FROM node:22-bookworm entry with that digest and
commit the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c119b555-e91b-48a5-9b88-d3c9d9b322b7

📥 Commits

Reviewing files that changed from the base of the PR and between db86db2 and 586a65b.

📒 Files selected for processing (2)

• .npmrc
• Dockerfile

[beer-1]

LGTM