Summary
The picofuzz/Dockerfile currently uses node:25-alpine as its base image, while all CI workflows standardise on Node.js 24 (verified across .github/workflows/*.yml files and @tsconfig/node24 TypeScript config). This version split weakens test fidelity because code certified on Node 24 in CI may behave differently in the container running Node 25.
Additionally, the Dockerfile has no USER directive, which means the container runs as root — a security concern flagged by Trivy (rule DS-0002).
Issues
- Node.js version mismatch — Dockerfile pins
node:25-alpine; CI uses Node 24.
- Container runs as root — No
USER directive / non-root user defined.
Suggested remediation
- Change
FROM node:25-alpine → FROM node:24-alpine (or bump the entire codebase to 25 consistently).
- Add a dedicated non-root user and a
USER instruction to the Dockerfile.
References
Summary
The
picofuzz/Dockerfilecurrently usesnode:25-alpineas its base image, while all CI workflows standardise on Node.js 24 (verified across.github/workflows/*.ymlfiles and@tsconfig/node24TypeScript config). This version split weakens test fidelity because code certified on Node 24 in CI may behave differently in the container running Node 25.Additionally, the Dockerfile has no
USERdirective, which means the container runs as root — a security concern flagged by Trivy (rule DS-0002).Issues
node:25-alpine; CI uses Node 24.USERdirective / non-root user defined.Suggested remediation
FROM node:25-alpine→FROM node:24-alpine(or bump the entire codebase to 25 consistently).USERinstruction to the Dockerfile.References