Stop shipping OS bloat.
A secure, distroless Node.js base image built entirely FROM scratch.
No shell. No package manager. No OS utilities. Just Node.js — and nothing else.
Runtime Node is a production-grade Docker base image that ships only what Node.js actually needs to run — and nothing more.
Built entirely FROM scratch, the image is assembled by extracting hand-picked binaries and shared libraries from the official Alpine Node.js image, rather than inheriting a full operating system. The result is an image that is smaller, safer, and cleaner than any Alpine or Debian-based alternative — with zero known vulnerabilities and a footprint of approximately ~45 MB.
Most Node.js Docker images ship with far more than your application needs at runtime. That extra surface area — shells, package managers, system utilities — doesn't help your app run. It just gives attackers somewhere to hide.
Runtime Node eliminates that entirely. By building from scratch and including only the minimum required components, the image enforces a distroless guarantee: if a tool isn't needed to execute Node.js, it isn't there.
| Feature | Detail |
|---|---|
| Base | FROM scratch — no OS, no shell |
| Node.js Version | 25.8.0 |
NODE_ENV |
production (baked in) |
TZ |
UTC (baked in) |
| Timezone Database | IANA tzdata 2026a-r0 included |
| Image Size | ~45 MB |
| Architectures | linux/amd64, linux/arm64 |
| Shell | None |
| Package Manager | None |
| CA Certificates | Included |
| DNS Resolution | nsswitch.conf included |
| Vulnerabilities | 0 known |
| Provenance & SBOM | Generated on every release |
# Docker Hub
docker pull runtimenode/runtime-node:latest
# GitHub Container Registry
docker pull ghcr.io/Runtimes-Node/runtime-node:latestnode:latest |
node:alpine |
runtimenode/runtime-node |
|
|---|---|---|---|
| Image Size | ~407 MB | ~56 MB | ~45 MB |
| Base | Debian Bookworm | Alpine Linux | FROM scratch |
| Shell | ✅ bash + sh | ✅ sh (ash) | ❌ None |
| Package Manager | ✅ apt | ✅ apk | ❌ None |
| Known Vulnerabilities | High | Low–Medium | 0 |
| Attack Surface | Large | Medium | Minimal |
NODE_ENV=production preset |
❌ | ❌ | ✅ |
TZ=UTC preset |
❌ | ❌ | ✅ |
| Provenance & SBOM | ❌ | ❌ | ✅ |
Add Runtime Node as your base image and copy in your application:
FROM runtimenode/runtime-node:v2.2.0-25.8.0
COPY --chown=nobody:nobody dist/ /app/
USER nobody
ENTRYPOINT ["/usr/local/bin/node", "/app/index.js"]Note: Because the image has no shell, your
ENTRYPOINTmust use exec form (JSON array syntax) and reference the Node.js binary by its full path:/usr/local/bin/node.
| Registry | Image |
|---|---|
| Docker Hub | runtimenode/runtime-node |
| GitHub Container Registry | ghcr.io/Runtimes-Node/runtime-node |
| Repository | Description |
|---|---|
Runtime-Node |
The Runtime Node Dockerfile, CI/CD pipelines, and full project documentation. |
To report a vulnerability, please follow the responsible disclosure process outlined in SECURITY.md. Do not open a public GitHub Issue for security reports.
This project follows a Code of Conduct. By participating, you are expected to uphold it.
Contributions are welcome. Please read CONTRIBUTING.md before opening a pull request.
Licensed under the Apache License 2.0.