Bump Node.js to 20.20.0 (January 2026 security release)#1978
Merged
YaritzaGarcia merged 2 commits intoGSA:mainfrom Mar 5, 2026
Merged
Bump Node.js to 20.20.0 (January 2026 security release)#1978YaritzaGarcia merged 2 commits intoGSA:mainfrom
YaritzaGarcia merged 2 commits intoGSA:mainfrom
Conversation
YaritzaGarcia
approved these changes
Mar 4, 2026
Collaborator
YaritzaGarcia
left a comment
YaritzaGarcia
left a comment
There was a problem hiding this comment.
Looks good to me!
amian-gsa
pushed a commit
that referenced
this pull request
Mar 17, 2026
#1978) Addresses CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466. Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov>
amian-gsa
added a commit
that referenced
this pull request
Mar 17, 2026
* SRCH-6338 Triggering build. * SRCH-6338 Triggering build. * fix(deploy): add ApplicationStop hook to clean up Capistrano repo directory - Add cleanup_deployment.sh script to remove /home/search/searchgov/repo - Update appspec.yml to include ApplicationStop lifecycle hook - Prevents CodeDeploy failure caused by existing non-empty repo directory from Capistrano - Resolves conflict between Capistrano and CodeDeploy deployment methods * SRCH-6338 Fixed the issue of existing cached repo folder. * fix(deploy): clean up Git state instead of removing repo directory - Update cleanup_deployment.sh to clean Git locks and stale refs - Prevents 'cannot lock ref' errors during Capistrano deployment - Preserves repo directory while resetting Git state to clean condition - Removes .lock files, packed-refs, and prunes stale remote branches * fix(deploy): add dual-layer protection against repo directory conflicts Option A: Pre-build cleanup - Add SSH-based cleanup in buildspec pre_build phase - Remove repo directories on all target servers before Capistrano runs - Prevents 'already exists and is not an empty directory' errors Option B: Capistrano configuration improvements - Enable git_shallow_clone for faster, lighter clones - Set git_keep_meta to false to reduce repo bloat - Improves Capistrano's handling of existing repositories This combination ensures repo cleanup happens at the right time (before Capistrano) and configures Capistrano to handle repos more efficiently. * fix(deploy): remove git_shallow_clone setting causing shallow file errors - Remove git_shallow_clone and git_keep_meta from deploy.rb - These settings caused 'fatal: shallow file has changed since we read it' errors - Keep only the pre-build cleanup in buildspec which is the primary fix - Pre-build cleanup (Option A) is sufficient to resolve repo directory conflicts * fix(deploy): clean Git refs instead of removing repo directory - Update buildspec pre_build to clean Git state rather than delete directory - Remove all Git lock files, packed-refs, and branch refs - Prevents 'cannot lock ref' errors caused by stale Git references - Preserves repo directory structure while resetting Git state - Addresses concurrent deployment scenarios (e.g., Ansible pipeline) This approach prevents conflicts when multiple deployment processes (buildspec, Ansible, etc.) interact with the same repo directory. * fix(deploy): use aggressive repo directory removal to prevent ref locking - Completely remove /home/search/searchgov/repo directory before Capistrano - Add chmod -R u+w to handle any permission issues before removal - Ensures fresh clone without any Git state conflicts - Previous approaches (ref cleanup, Git state cleanup) insufficient for race conditions This is the most reliable approach to prevent 'cannot lock ref' errors when multiple deployments or processes interact with the same repo. * fix(deploy): clean repo on ALL server groups (APP, CRON, RESQUE) Critical fix: Previous cleanup only targeted APP_SERVER_ADDRESSES, but Capistrano deploys to multiple server groups in parallel (app, cron, resque servers). Changes: - Combine APP_SERVER_ADDRESSES, CRON_SERVER_ADDRESSES, RESQUE_SERVER_ADDRESSES - Use jq to create unique list of all target servers - Clean repo directory on every server before Capistrano starts - Prevents ref locking errors caused by inconsistent Git state across server groups This resolves the persistent 'cannot lock ref' errors by ensuring ALL servers have clean Git state before parallel deployment begins. * debug(deploy): add comprehensive logging to pre-build cleanup Added detailed logging to diagnose why repo cleanup isn't preventing ref locking: Logging includes: - All environment variables (server addresses, paths) - Complete server list with count - Per-server SSH connection details (verbose) - Directory existence checks and contents - Step-by-step cleanup process - Success/failure tracking with exit codes - Summary statistics (successful vs failed cleanups) This will help identify: 1. If SSH connections are reaching all servers 2. If repo directories are being found 3. If removal is actually succeeding 4. Which specific servers might be failing 5. Any permission or timing issues Next step: Run pipeline and review pre_build logs to see what's happening. * SRCH-6338 Removed the cleanup and added flock based lock instead to avoid race conditions. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Added pem file content to dev env. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Added missing compilation step. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Added setting to resolve 403 error. * SRCH-6338 Updated documentation. * SRCH-6338 Added .idea to .gitignore * Fix extra invalid OpenSearch requests caused by double-slash URLs (#1977) The elasticsearch-ruby transport constructs URLs that can produce "host:port//" in two scenarios: 1. When the parsed host path is "/" or "" (truthy in Ruby), combined with the "/" prefix before the API path 2. When the API path itself starts with "/" (e.g. NewRelic's cluster name check calls perform_request('GET', '/')) Adds a Rails initializer that monkey-patches three methods in the transport to normalize host paths and prevent double slashes in request URLs. Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6331 Improve UX for the inactive affiliate message in the Admin Center (#1961) * Remove old inactive affiliate banner. * Add a banner below the Display Name banner. NEEDS TO BE IMPROVED. * Improve UX for inactive affiliate message in Admin Center. - Updated variables to have an inactive value and an active value. - Updated views to add the inactive class to change the height. - Updated the inactive banner * Add inactive class to the site nav * Add USWDS styling and improve overall banner. * Add USWDS Warning icon. * Adding the Warning icon before the banner text. Needs to be fixed. Position is not right. * Adjust height. * Improve inactive affiliate banner styles and update tests for accurate selector usage * Update test. * Update inactive site header. * Bump Node.js from 20.10.0 to 20.20.0 for January 2026 security release (#1978) Addresses CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466. Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Verify index template parity between SearchElastic::Template and i14y Documents (#1982) * Add specs to verify index template parity between search-gov and i14y Compares SearchElastic::Template against the i14y Documents template to confirm our template can safely serve queries against migrated Elasticsearch data in the new OpenSearch index. - template_spec: validates body structure, all field mappings, analyzers, tokenizers, and dynamic templates - template_parity_spec: loads i14y fixture and asserts search-gov is a superset (fields, analyzers, stemmers, dynamic templates) - index_create_spec: covers create/update flows with mocked client - i14y fixture: point-in-time snapshot of Documents.new.body Made-with: Cursor * Fix Cucumber search_elastic test by refreshing index after indexing The test was racing ahead before Elasticsearch made the document searchable. Adding an explicit refresh call ensures the document is available immediately. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6424 Create the LegacyOpensearch search engine (#1983) * - Update SEARCH_ENGINES and VALID_SEARCH_ENGINES - Add LEGACY_OPENSEARCH_INDEX - Add engine * Add LegacyOpenSearch support in SearchesController, implement ApiEngine and tests. * Add spec for searches_controller * Fix case in LegacyOpenSearch constant * - Update environment variables - Fix constant naming for LegacyOpenSearch - Fix duplication in engine_spec.rb - Added mossing spaces and missing pragma. * Add LegacyOpenSearch indexer and rake task for index creation (#1985) * SRCH-6433: Add Achtung icon to Inactive Affiliate banner (#1987) * Fix the warning icon URL. * Delete commented code. --------- Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov>
YaritzaGarcia
added a commit
that referenced
this pull request
Mar 19, 2026
* Change the default search engine to OpenSearch. * Srch 6338 ubuntu upgrade artifact deploy azhar (#1990) * SRCH-6338 Triggering build. * SRCH-6338 Triggering build. * fix(deploy): add ApplicationStop hook to clean up Capistrano repo directory - Add cleanup_deployment.sh script to remove /home/search/searchgov/repo - Update appspec.yml to include ApplicationStop lifecycle hook - Prevents CodeDeploy failure caused by existing non-empty repo directory from Capistrano - Resolves conflict between Capistrano and CodeDeploy deployment methods * SRCH-6338 Fixed the issue of existing cached repo folder. * fix(deploy): clean up Git state instead of removing repo directory - Update cleanup_deployment.sh to clean Git locks and stale refs - Prevents 'cannot lock ref' errors during Capistrano deployment - Preserves repo directory while resetting Git state to clean condition - Removes .lock files, packed-refs, and prunes stale remote branches * fix(deploy): add dual-layer protection against repo directory conflicts Option A: Pre-build cleanup - Add SSH-based cleanup in buildspec pre_build phase - Remove repo directories on all target servers before Capistrano runs - Prevents 'already exists and is not an empty directory' errors Option B: Capistrano configuration improvements - Enable git_shallow_clone for faster, lighter clones - Set git_keep_meta to false to reduce repo bloat - Improves Capistrano's handling of existing repositories This combination ensures repo cleanup happens at the right time (before Capistrano) and configures Capistrano to handle repos more efficiently. * fix(deploy): remove git_shallow_clone setting causing shallow file errors - Remove git_shallow_clone and git_keep_meta from deploy.rb - These settings caused 'fatal: shallow file has changed since we read it' errors - Keep only the pre-build cleanup in buildspec which is the primary fix - Pre-build cleanup (Option A) is sufficient to resolve repo directory conflicts * fix(deploy): clean Git refs instead of removing repo directory - Update buildspec pre_build to clean Git state rather than delete directory - Remove all Git lock files, packed-refs, and branch refs - Prevents 'cannot lock ref' errors caused by stale Git references - Preserves repo directory structure while resetting Git state - Addresses concurrent deployment scenarios (e.g., Ansible pipeline) This approach prevents conflicts when multiple deployment processes (buildspec, Ansible, etc.) interact with the same repo directory. * fix(deploy): use aggressive repo directory removal to prevent ref locking - Completely remove /home/search/searchgov/repo directory before Capistrano - Add chmod -R u+w to handle any permission issues before removal - Ensures fresh clone without any Git state conflicts - Previous approaches (ref cleanup, Git state cleanup) insufficient for race conditions This is the most reliable approach to prevent 'cannot lock ref' errors when multiple deployments or processes interact with the same repo. * fix(deploy): clean repo on ALL server groups (APP, CRON, RESQUE) Critical fix: Previous cleanup only targeted APP_SERVER_ADDRESSES, but Capistrano deploys to multiple server groups in parallel (app, cron, resque servers). Changes: - Combine APP_SERVER_ADDRESSES, CRON_SERVER_ADDRESSES, RESQUE_SERVER_ADDRESSES - Use jq to create unique list of all target servers - Clean repo directory on every server before Capistrano starts - Prevents ref locking errors caused by inconsistent Git state across server groups This resolves the persistent 'cannot lock ref' errors by ensuring ALL servers have clean Git state before parallel deployment begins. * debug(deploy): add comprehensive logging to pre-build cleanup Added detailed logging to diagnose why repo cleanup isn't preventing ref locking: Logging includes: - All environment variables (server addresses, paths) - Complete server list with count - Per-server SSH connection details (verbose) - Directory existence checks and contents - Step-by-step cleanup process - Success/failure tracking with exit codes - Summary statistics (successful vs failed cleanups) This will help identify: 1. If SSH connections are reaching all servers 2. If repo directories are being found 3. If removal is actually succeeding 4. Which specific servers might be failing 5. Any permission or timing issues Next step: Run pipeline and review pre_build logs to see what's happening. * SRCH-6338 Removed the cleanup and added flock based lock instead to avoid race conditions. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Added pem file content to dev env. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Added missing compilation step. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Added setting to resolve 403 error. * SRCH-6338 Updated documentation. * SRCH-6338 Added .idea to .gitignore * Fix extra invalid OpenSearch requests caused by double-slash URLs (#1977) The elasticsearch-ruby transport constructs URLs that can produce "host:port//" in two scenarios: 1. When the parsed host path is "/" or "" (truthy in Ruby), combined with the "/" prefix before the API path 2. When the API path itself starts with "/" (e.g. NewRelic's cluster name check calls perform_request('GET', '/')) Adds a Rails initializer that monkey-patches three methods in the transport to normalize host paths and prevent double slashes in request URLs. Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6331 Improve UX for the inactive affiliate message in the Admin Center (#1961) * Remove old inactive affiliate banner. * Add a banner below the Display Name banner. NEEDS TO BE IMPROVED. * Improve UX for inactive affiliate message in Admin Center. - Updated variables to have an inactive value and an active value. - Updated views to add the inactive class to change the height. - Updated the inactive banner * Add inactive class to the site nav * Add USWDS styling and improve overall banner. * Add USWDS Warning icon. * Adding the Warning icon before the banner text. Needs to be fixed. Position is not right. * Adjust height. * Improve inactive affiliate banner styles and update tests for accurate selector usage * Update test. * Update inactive site header. * Bump Node.js from 20.10.0 to 20.20.0 for January 2026 security release (#1978) Addresses CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466. Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Verify index template parity between SearchElastic::Template and i14y Documents (#1982) * Add specs to verify index template parity between search-gov and i14y Compares SearchElastic::Template against the i14y Documents template to confirm our template can safely serve queries against migrated Elasticsearch data in the new OpenSearch index. - template_spec: validates body structure, all field mappings, analyzers, tokenizers, and dynamic templates - template_parity_spec: loads i14y fixture and asserts search-gov is a superset (fields, analyzers, stemmers, dynamic templates) - index_create_spec: covers create/update flows with mocked client - i14y fixture: point-in-time snapshot of Documents.new.body Made-with: Cursor * Fix Cucumber search_elastic test by refreshing index after indexing The test was racing ahead before Elasticsearch made the document searchable. Adding an explicit refresh call ensures the document is available immediately. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6424 Create the LegacyOpensearch search engine (#1983) * - Update SEARCH_ENGINES and VALID_SEARCH_ENGINES - Add LEGACY_OPENSEARCH_INDEX - Add engine * Add LegacyOpenSearch support in SearchesController, implement ApiEngine and tests. * Add spec for searches_controller * Fix case in LegacyOpenSearch constant * - Update environment variables - Fix constant naming for LegacyOpenSearch - Fix duplication in engine_spec.rb - Added mossing spaces and missing pragma. * Add LegacyOpenSearch indexer and rake task for index creation (#1985) * SRCH-6433: Add Achtung icon to Inactive Affiliate banner (#1987) * Fix the warning icon URL. * Delete commented code. --------- Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Update Spec test. * Fix cucumber test. * Revert "Srch 6338 ubuntu upgrade artifact deploy azhar (#1990)" This reverts commit 4acf0bf. --------- Co-authored-by: Azhar Mian <166759132+amian-gsa@users.noreply.github.com> Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com>
luisgmetzger
added a commit
that referenced
this pull request
Mar 20, 2026
* SRCH-6442 Change the default search engine to OpenSearch (#1991) * Change the default search engine to OpenSearch. * Srch 6338 ubuntu upgrade artifact deploy azhar (#1990) * SRCH-6338 Triggering build. * SRCH-6338 Triggering build. * fix(deploy): add ApplicationStop hook to clean up Capistrano repo directory - Add cleanup_deployment.sh script to remove /home/search/searchgov/repo - Update appspec.yml to include ApplicationStop lifecycle hook - Prevents CodeDeploy failure caused by existing non-empty repo directory from Capistrano - Resolves conflict between Capistrano and CodeDeploy deployment methods * SRCH-6338 Fixed the issue of existing cached repo folder. * fix(deploy): clean up Git state instead of removing repo directory - Update cleanup_deployment.sh to clean Git locks and stale refs - Prevents 'cannot lock ref' errors during Capistrano deployment - Preserves repo directory while resetting Git state to clean condition - Removes .lock files, packed-refs, and prunes stale remote branches * fix(deploy): add dual-layer protection against repo directory conflicts Option A: Pre-build cleanup - Add SSH-based cleanup in buildspec pre_build phase - Remove repo directories on all target servers before Capistrano runs - Prevents 'already exists and is not an empty directory' errors Option B: Capistrano configuration improvements - Enable git_shallow_clone for faster, lighter clones - Set git_keep_meta to false to reduce repo bloat - Improves Capistrano's handling of existing repositories This combination ensures repo cleanup happens at the right time (before Capistrano) and configures Capistrano to handle repos more efficiently. * fix(deploy): remove git_shallow_clone setting causing shallow file errors - Remove git_shallow_clone and git_keep_meta from deploy.rb - These settings caused 'fatal: shallow file has changed since we read it' errors - Keep only the pre-build cleanup in buildspec which is the primary fix - Pre-build cleanup (Option A) is sufficient to resolve repo directory conflicts * fix(deploy): clean Git refs instead of removing repo directory - Update buildspec pre_build to clean Git state rather than delete directory - Remove all Git lock files, packed-refs, and branch refs - Prevents 'cannot lock ref' errors caused by stale Git references - Preserves repo directory structure while resetting Git state - Addresses concurrent deployment scenarios (e.g., Ansible pipeline) This approach prevents conflicts when multiple deployment processes (buildspec, Ansible, etc.) interact with the same repo directory. * fix(deploy): use aggressive repo directory removal to prevent ref locking - Completely remove /home/search/searchgov/repo directory before Capistrano - Add chmod -R u+w to handle any permission issues before removal - Ensures fresh clone without any Git state conflicts - Previous approaches (ref cleanup, Git state cleanup) insufficient for race conditions This is the most reliable approach to prevent 'cannot lock ref' errors when multiple deployments or processes interact with the same repo. * fix(deploy): clean repo on ALL server groups (APP, CRON, RESQUE) Critical fix: Previous cleanup only targeted APP_SERVER_ADDRESSES, but Capistrano deploys to multiple server groups in parallel (app, cron, resque servers). Changes: - Combine APP_SERVER_ADDRESSES, CRON_SERVER_ADDRESSES, RESQUE_SERVER_ADDRESSES - Use jq to create unique list of all target servers - Clean repo directory on every server before Capistrano starts - Prevents ref locking errors caused by inconsistent Git state across server groups This resolves the persistent 'cannot lock ref' errors by ensuring ALL servers have clean Git state before parallel deployment begins. * debug(deploy): add comprehensive logging to pre-build cleanup Added detailed logging to diagnose why repo cleanup isn't preventing ref locking: Logging includes: - All environment variables (server addresses, paths) - Complete server list with count - Per-server SSH connection details (verbose) - Directory existence checks and contents - Step-by-step cleanup process - Success/failure tracking with exit codes - Summary statistics (successful vs failed cleanups) This will help identify: 1. If SSH connections are reaching all servers 2. If repo directories are being found 3. If removal is actually succeeding 4. Which specific servers might be failing 5. Any permission or timing issues Next step: Run pipeline and review pre_build logs to see what's happening. * SRCH-6338 Removed the cleanup and added flock based lock instead to avoid race conditions. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Added pem file content to dev env. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Added missing compilation step. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Added setting to resolve 403 error. * SRCH-6338 Updated documentation. * SRCH-6338 Added .idea to .gitignore * Fix extra invalid OpenSearch requests caused by double-slash URLs (#1977) The elasticsearch-ruby transport constructs URLs that can produce "host:port//" in two scenarios: 1. When the parsed host path is "/" or "" (truthy in Ruby), combined with the "/" prefix before the API path 2. When the API path itself starts with "/" (e.g. NewRelic's cluster name check calls perform_request('GET', '/')) Adds a Rails initializer that monkey-patches three methods in the transport to normalize host paths and prevent double slashes in request URLs. Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6331 Improve UX for the inactive affiliate message in the Admin Center (#1961) * Remove old inactive affiliate banner. * Add a banner below the Display Name banner. NEEDS TO BE IMPROVED. * Improve UX for inactive affiliate message in Admin Center. - Updated variables to have an inactive value and an active value. - Updated views to add the inactive class to change the height. - Updated the inactive banner * Add inactive class to the site nav * Add USWDS styling and improve overall banner. * Add USWDS Warning icon. * Adding the Warning icon before the banner text. Needs to be fixed. Position is not right. * Adjust height. * Improve inactive affiliate banner styles and update tests for accurate selector usage * Update test. * Update inactive site header. * Bump Node.js from 20.10.0 to 20.20.0 for January 2026 security release (#1978) Addresses CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466. Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Verify index template parity between SearchElastic::Template and i14y Documents (#1982) * Add specs to verify index template parity between search-gov and i14y Compares SearchElastic::Template against the i14y Documents template to confirm our template can safely serve queries against migrated Elasticsearch data in the new OpenSearch index. - template_spec: validates body structure, all field mappings, analyzers, tokenizers, and dynamic templates - template_parity_spec: loads i14y fixture and asserts search-gov is a superset (fields, analyzers, stemmers, dynamic templates) - index_create_spec: covers create/update flows with mocked client - i14y fixture: point-in-time snapshot of Documents.new.body Made-with: Cursor * Fix Cucumber search_elastic test by refreshing index after indexing The test was racing ahead before Elasticsearch made the document searchable. Adding an explicit refresh call ensures the document is available immediately. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6424 Create the LegacyOpensearch search engine (#1983) * - Update SEARCH_ENGINES and VALID_SEARCH_ENGINES - Add LEGACY_OPENSEARCH_INDEX - Add engine * Add LegacyOpenSearch support in SearchesController, implement ApiEngine and tests. * Add spec for searches_controller * Fix case in LegacyOpenSearch constant * - Update environment variables - Fix constant naming for LegacyOpenSearch - Fix duplication in engine_spec.rb - Added mossing spaces and missing pragma. * Add LegacyOpenSearch indexer and rake task for index creation (#1985) * SRCH-6433: Add Achtung icon to Inactive Affiliate banner (#1987) * Fix the warning icon URL. * Delete commented code. --------- Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Update Spec test. * Fix cucumber test. * Revert "Srch 6338 ubuntu upgrade artifact deploy azhar (#1990)" This reverts commit 4acf0bf. --------- Co-authored-by: Azhar Mian <166759132+amian-gsa@users.noreply.github.com> Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6448: Port i14y Serde serialize_hash into search-gov (#1993) * SRCH-6448: Port i14y Serde serialize_hash into search-gov Add String#extract_array to make Serde.serialize_hash functional in search-gov. The Serde module was already copied from i14y but the serialize path was never wired up because indexing went through the i14y HTTP API. The only missing piece was the extract_array String extension used by serialize_array_fields. Add comprehensive spec coverage for serialize_hash, deserialize_hash, and uri_params_hash including edge cases for multiple languages, HTML sanitization, missing fields, and various URL formats. Made-with: Cursor * Fix extract_array specs to match Ruby split behavior Ruby's String#split(',') returns [] for an empty string and drops trailing empty elements, so the expectations were wrong. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6449: Build OpenSearch document indexing service (#1994) * SRCH-6448: Port i14y Serde serialize_hash into search-gov Add String#extract_array to make Serde.serialize_hash functional in search-gov. The Serde module was already copied from i14y but the serialize path was never wired up because indexing went through the i14y HTTP API. The only missing piece was the extract_array String extension used by serialize_array_fields. Add comprehensive spec coverage for serialize_hash, deserialize_hash, and uri_params_hash including edge cases for multiple languages, HTML sanitization, missing fields, and various URL formats. Made-with: Cursor * SRCH-6449: Build OpenSearch document indexing service Add LegacyOpenSearch::DocumentIndexer that writes documents directly to OpenSearch, bypassing the i14y HTTP API. This is the second step toward retiring Elasticsearch and the i14y application. The service accepts the same params shape as SearchgovUrl#i14y_params, runs Serde.serialize_hash for field transformations (language-suffix renaming, HTML sanitization, array conversion, URI extraction), then indexes directly via OPENSEARCH_CLIENT. Key design decisions: - Uses client.index() as an upsert instead of separate create/update - Wraps params in HashWithIndifferentAccess to match i14y's behavior - Injects created_at default to replicate i14y Document model - Accepts handle: kwarg on delete for backward compatibility Made-with: Cursor * Fix extract_array specs to match Ruby split behavior Ruby's String#split(',') returns [] for an empty string and drops trailing empty elements, so the expectations were wrong. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6450: Update SearchgovUrl to index directly to OpenSearch (#1995) * SRCH-6448: Port i14y Serde serialize_hash into search-gov Add String#extract_array to make Serde.serialize_hash functional in search-gov. The Serde module was already copied from i14y but the serialize path was never wired up because indexing went through the i14y HTTP API. The only missing piece was the extract_array String extension used by serialize_array_fields. Add comprehensive spec coverage for serialize_hash, deserialize_hash, and uri_params_hash including edge cases for multiple languages, HTML sanitization, missing fields, and various URL formats. Made-with: Cursor * SRCH-6449: Build OpenSearch document indexing service Add LegacyOpenSearch::DocumentIndexer that writes documents directly to OpenSearch, bypassing the i14y HTTP API. This is the second step toward retiring Elasticsearch and the i14y application. The service accepts the same params shape as SearchgovUrl#i14y_params, runs Serde.serialize_hash for field transformations (language-suffix renaming, HTML sanitization, array conversion, URI extraction), then indexes directly via OPENSEARCH_CLIENT. Key design decisions: - Uses client.index() as an upsert instead of separate create/update - Wraps params in HashWithIndifferentAccess to match i14y's behavior - Injects created_at default to replicate i14y Document model - Accepts handle: kwarg on delete for backward compatibility Made-with: Cursor * Fix extract_array specs to match Ruby split behavior Ruby's String#split(',') returns [] for an empty string and drops trailing empty elements, so the expectations were wrong. Made-with: Cursor * SRCH-6450: Update SearchgovUrl to index directly to OpenSearch Replace I14yDocument calls with LegacyOpenSearch::DocumentIndexer so the crawler writes directly to OpenSearch, bypassing the broken i14y HTTP API. index_document: the indexed? ternary (create vs update) is replaced by a single DocumentIndexer.index upsert call. OpenSearch overwrites by document ID, so the distinction is unnecessary. delete_document: swaps I14yDocument.delete for DocumentIndexer.delete. The new service already handles NotFound gracefully. Specs updated to use the new service (~25 mock replacements) plus new coverage for DocumentIndexerError handling, upsert behavior, params shape contract, and silent NotFound on delete. Made-with: Cursor * Fix searchgov:promote spec to expect DocumentIndexer.index The promote rake task calls searchgov_url.fetch, which now goes through LegacyOpenSearch::DocumentIndexer.index instead of I14yDocument.create. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> --------- Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> Co-authored-by: Azhar Mian <166759132+amian-gsa@users.noreply.github.com> Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com>
YaritzaGarcia
added a commit
that referenced
this pull request
Mar 26, 2026
* Refactor sub-nav-heading class for inactive sites - Updated the sub-nav-heading class to conditionally apply "--is-inactive" based on the active status of the site across multiple views, enhancing the user interface by visually indicating inactive sites. * Srch 6338 ubuntu upgrade artifact deploy azhar (#1990) * SRCH-6338 Triggering build. * SRCH-6338 Triggering build. * fix(deploy): add ApplicationStop hook to clean up Capistrano repo directory - Add cleanup_deployment.sh script to remove /home/search/searchgov/repo - Update appspec.yml to include ApplicationStop lifecycle hook - Prevents CodeDeploy failure caused by existing non-empty repo directory from Capistrano - Resolves conflict between Capistrano and CodeDeploy deployment methods * SRCH-6338 Fixed the issue of existing cached repo folder. * fix(deploy): clean up Git state instead of removing repo directory - Update cleanup_deployment.sh to clean Git locks and stale refs - Prevents 'cannot lock ref' errors during Capistrano deployment - Preserves repo directory while resetting Git state to clean condition - Removes .lock files, packed-refs, and prunes stale remote branches * fix(deploy): add dual-layer protection against repo directory conflicts Option A: Pre-build cleanup - Add SSH-based cleanup in buildspec pre_build phase - Remove repo directories on all target servers before Capistrano runs - Prevents 'already exists and is not an empty directory' errors Option B: Capistrano configuration improvements - Enable git_shallow_clone for faster, lighter clones - Set git_keep_meta to false to reduce repo bloat - Improves Capistrano's handling of existing repositories This combination ensures repo cleanup happens at the right time (before Capistrano) and configures Capistrano to handle repos more efficiently. * fix(deploy): remove git_shallow_clone setting causing shallow file errors - Remove git_shallow_clone and git_keep_meta from deploy.rb - These settings caused 'fatal: shallow file has changed since we read it' errors - Keep only the pre-build cleanup in buildspec which is the primary fix - Pre-build cleanup (Option A) is sufficient to resolve repo directory conflicts * fix(deploy): clean Git refs instead of removing repo directory - Update buildspec pre_build to clean Git state rather than delete directory - Remove all Git lock files, packed-refs, and branch refs - Prevents 'cannot lock ref' errors caused by stale Git references - Preserves repo directory structure while resetting Git state - Addresses concurrent deployment scenarios (e.g., Ansible pipeline) This approach prevents conflicts when multiple deployment processes (buildspec, Ansible, etc.) interact with the same repo directory. * fix(deploy): use aggressive repo directory removal to prevent ref locking - Completely remove /home/search/searchgov/repo directory before Capistrano - Add chmod -R u+w to handle any permission issues before removal - Ensures fresh clone without any Git state conflicts - Previous approaches (ref cleanup, Git state cleanup) insufficient for race conditions This is the most reliable approach to prevent 'cannot lock ref' errors when multiple deployments or processes interact with the same repo. * fix(deploy): clean repo on ALL server groups (APP, CRON, RESQUE) Critical fix: Previous cleanup only targeted APP_SERVER_ADDRESSES, but Capistrano deploys to multiple server groups in parallel (app, cron, resque servers). Changes: - Combine APP_SERVER_ADDRESSES, CRON_SERVER_ADDRESSES, RESQUE_SERVER_ADDRESSES - Use jq to create unique list of all target servers - Clean repo directory on every server before Capistrano starts - Prevents ref locking errors caused by inconsistent Git state across server groups This resolves the persistent 'cannot lock ref' errors by ensuring ALL servers have clean Git state before parallel deployment begins. * debug(deploy): add comprehensive logging to pre-build cleanup Added detailed logging to diagnose why repo cleanup isn't preventing ref locking: Logging includes: - All environment variables (server addresses, paths) - Complete server list with count - Per-server SSH connection details (verbose) - Directory existence checks and contents - Step-by-step cleanup process - Success/failure tracking with exit codes - Summary statistics (successful vs failed cleanups) This will help identify: 1. If SSH connections are reaching all servers 2. If repo directories are being found 3. If removal is actually succeeding 4. Which specific servers might be failing 5. Any permission or timing issues Next step: Run pipeline and review pre_build logs to see what's happening. * SRCH-6338 Removed the cleanup and added flock based lock instead to avoid race conditions. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Added deployment level lock to capistrano. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Fixed syntax error issue. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Using code deploy based deployment. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Fixed error getting at BeforeInstall hook. * SRCH-6338 Added pem file content to dev env. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Removed KMS related logic. * SRCH-6338 Added missing compilation step. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Added missing compilation steps from dockerfile. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Made changes to set vars and fix precompile issues. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed buildsepec errors and refactored other scripts to remove unnecessary processes to save time. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Fixed missing assets issue. * SRCH-6338 Added setting to resolve 403 error. * SRCH-6338 Updated documentation. * SRCH-6338 Added .idea to .gitignore * Fix extra invalid OpenSearch requests caused by double-slash URLs (#1977) The elasticsearch-ruby transport constructs URLs that can produce "host:port//" in two scenarios: 1. When the parsed host path is "/" or "" (truthy in Ruby), combined with the "/" prefix before the API path 2. When the API path itself starts with "/" (e.g. NewRelic's cluster name check calls perform_request('GET', '/')) Adds a Rails initializer that monkey-patches three methods in the transport to normalize host paths and prevent double slashes in request URLs. Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6331 Improve UX for the inactive affiliate message in the Admin Center (#1961) * Remove old inactive affiliate banner. * Add a banner below the Display Name banner. NEEDS TO BE IMPROVED. * Improve UX for inactive affiliate message in Admin Center. - Updated variables to have an inactive value and an active value. - Updated views to add the inactive class to change the height. - Updated the inactive banner * Add inactive class to the site nav * Add USWDS styling and improve overall banner. * Add USWDS Warning icon. * Adding the Warning icon before the banner text. Needs to be fixed. Position is not right. * Adjust height. * Improve inactive affiliate banner styles and update tests for accurate selector usage * Update test. * Update inactive site header. * Bump Node.js from 20.10.0 to 20.20.0 for January 2026 security release (#1978) Addresses CVE-2025-55130, CVE-2025-55131, CVE-2025-55132, CVE-2025-59465, CVE-2025-59466. Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Verify index template parity between SearchElastic::Template and i14y Documents (#1982) * Add specs to verify index template parity between search-gov and i14y Compares SearchElastic::Template against the i14y Documents template to confirm our template can safely serve queries against migrated Elasticsearch data in the new OpenSearch index. - template_spec: validates body structure, all field mappings, analyzers, tokenizers, and dynamic templates - template_parity_spec: loads i14y fixture and asserts search-gov is a superset (fields, analyzers, stemmers, dynamic templates) - index_create_spec: covers create/update flows with mocked client - i14y fixture: point-in-time snapshot of Documents.new.body Made-with: Cursor * Fix Cucumber search_elastic test by refreshing index after indexing The test was racing ahead before Elasticsearch made the document searchable. Adding an explicit refresh call ensures the document is available immediately. Made-with: Cursor --------- Co-authored-by: Luis Metzger <luismetzger@me.com> * SRCH-6424 Create the LegacyOpensearch search engine (#1983) * - Update SEARCH_ENGINES and VALID_SEARCH_ENGINES - Add LEGACY_OPENSEARCH_INDEX - Add engine * Add LegacyOpenSearch support in SearchesController, implement ApiEngine and tests. * Add spec for searches_controller * Fix case in LegacyOpenSearch constant * - Update environment variables - Fix constant naming for LegacyOpenSearch - Fix duplication in engine_spec.rb - Added mossing spaces and missing pragma. * Add LegacyOpenSearch indexer and rake task for index creation (#1985) * SRCH-6433: Add Achtung icon to Inactive Affiliate banner (#1987) * Fix the warning icon URL. * Delete commented code. --------- Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com> Co-authored-by: Yaritza M. Garcia Chaparro <yaritza.garcia@gsa.gov> * Revert "Srch 6338 ubuntu upgrade artifact deploy azhar (#1990)" This reverts commit 4acf0bf. --------- Co-authored-by: Azhar Mian <166759132+amian-gsa@users.noreply.github.com> Co-authored-by: amian-fearless <amian@fearless.com> Co-authored-by: Luis Metzger <148913056+luisgmetzger@users.noreply.github.com> Co-authored-by: Luis Metzger <luismetzger@me.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates Node.js from 20.10.0 to 20.20.0 across all build and CI configs (Dockerfile, Dockerfile.dev, CircleCI, package.json, .nvmrc). This is the January 13, 2026 security release for the 20.x LTS line, addressing multiple CVEs including an HTTP/2 DoS crash, a buffer memory leak, and permission model bypasses.
Changes
NODE_VERSION20.10.0 -> 20.20.0NODE_VERSION20.10.0 -> 20.20.0Notes
This only covers the Docker/CI side. The crawl servers (EC2 instances) need their AMI rebuilt or Ansible playbook re-run separately to pick up 20.20.0 from NodeSource.