Skip to content

v1.0.0+node24.13.1 — Initial Release

Choose a tag to compare

View all tags
@Amnoor Amnoor released this 18 Mar 13:11
· 82 commits to main since this release
Immutable release. Only release title and notes can be modified.
v1.0.0+node24.13.1
087e8be
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Runtime Node v1.0.0+node24.13.1

Secure, Distroless, Multi-Arch Node.js Runtime. Built from Scratch.

This is the first release of Runtime Node. It ships a production-grade distroless Node.js runtime image assembled from node:24.13.1-alpine3.23 into a FROM scratch base, with NODE_ENV=production and TZ=UTC baked in, zero known vulnerabilities, and multi-arch support for linux/amd64 and linux/arm64.

Pull the Image

# Docker Hub — versioned (recommended for production)
docker pull runtimenode/runtime-node:v1.0.0+node24.13.1

# Docker Hub — latest
docker pull runtimenode/runtime-node:latest

# GitHub Container Registry — versioned (recommended for production)
docker pull ghcr.io/runtimes-node/runtime-node:v1.0.0+node24.13.1

# GitHub Container Registry — latest
docker pull ghcr.io/runtimes-node/runtime-node:latest

What's Included

Component Detail
Base FROM scratch — no OS, no shell
Node.js Version 24.13.1 (from node:24.13.1-alpine3.23)
NODE_ENV production (baked in)
TZ UTC (baked in)
Timezone Database IANA tzdata (/usr/share/zoneinfo)
CA Certificates Included (/etc/ssl/certs/)
DNS Resolution nsswitch.conf included
Runtime Libraries ld-musl, libstdc++, libgcc_s
/tmp Writable, sticky-bit 1777
Shell None
Package Manager None
Vulnerabilities 0 known
Architectures linux/amd64, linux/arm64
Provenance & SBOM Attached to this release

What's New

This is the initial release. Everything below is new.

  • Introduced a two-stage Dockerfile with a builder stage based on node:24.13.1-alpine3.23 and a runtime stage based on FROM scratch.
  • Added script.sh — a hardened shell installer that reads pinned package names from dependencies/requirements.txt and installs them via apk add --no-cache in the builder stage, with validation for root privileges and file existence.
  • Added dependencies/requirements.txt pinning tzdata and ca-certificates as the only Alpine packages installed in the builder stage.
  • Set ENV NODE_ENV=production and ENV TZ=UTC in the runtime stage, baking both defaults into the image at build time.
  • Copied /tmp with explicit --chmod=1777 sticky-bit permissions, /etc/nsswitch.conf for DNS resolution, /usr/share/zoneinfo for timezone data, /etc/ssl/certs/ca-certificates.crt and /etc/ssl/cert.pem for TLS, ld-musl-*.so.1, libstdc++.so.6, and libgcc_s.so.1 for runtime library support, and /usr/local/bin/node as the sole executable — all with --chmod=555.
  • Added .github/workflows/deployment.yml — publishes multi-arch images to Docker Hub and GHCR on v* tag pushes with provenance attestations and an SBOM attached. Supports manual promotion of any published versioned tag to a floating tag (e.g. latest) via workflow_dispatch, with pre-promotion validation checks against both registries.
  • Added .github/workflows/pr-tests.yml — lints the Dockerfile with Hadolint on every PR targeting main, develop*, or maintenance/v*, then builds and runs five integrity tests per platform (linux/amd64 and linux/arm64): Node.js smoke test (node --version), no shell present, no package manager present, NODE_ENV is production, and TZ is UTC.
  • Added .github/dependabot.yml — configures Dependabot to monitor the Dockerfile for Docker base image updates targeting the develop branch.
  • Added .github/PULL_REQUEST_TEMPLATE.md pre-filling the three required PR description sections (Summary, Files Changed, Key Changes).
  • Added GitHub issue templates for bug reports, documentation issues, feature requests, new platform requests, Node.js version bumps, and tzdata version bumps, with config.yml disabling blank issues and surfacing the private security advisory link.
  • Added README.md, CONTRIBUTING.md, SECURITY.md, and CODE_OF_CONDUCT.md as the initial documentation set.
  • Added .github/assets/icon.svg as the shared branding icon used across all documentation headers.

Versioning

Tags follow the pattern v<image_semver>+node<node_version>. The latest tag tracks the most recent stable release.

Immutable Tag

This tag is immutable. Once published, v1.0.0+node24.13.1 will never be moved or overwritten on either registry.

Full Changelog

https://github.com/Runtimes-Node/Runtime-Node/commits/v1.0.0+node24.13.1

Assets 3
Loading
0 Join discussion