Update Node.js to b342de0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node	final	digest	a270640 → b342de0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

This PR updates the Node.js Docker base image digest from a270640 to b342de0 while maintaining the same version (20.19.6-bookworm-slim). The digest change is caused by two significant security-related updates:

1. Debian 12.13 Security Update (January 10, 2026)

• 60+ security advisories including fixes for:
  • Linux kernel vulnerabilities (DSA-6009, DSA-6053)
  • OpenSSL security patches (DSA-6015)
  • Containerd vulnerabilities (DSA-6067)
  • Apache2, ImageMagick, Git, Samba fixes
  • Multiple browser/multimedia package updates (Chromium, Firefox-ESR)
• 140+ packages received security and bug fixes
• Source: Debian 12.13 Release

2. Node.js Security Release (January 13, 2026)

• Node.js released version 20.20.0 addressing 8 CVEs (3 High, 4 Medium, 1 Low)
• Note: The current image still uses Node.js 20.19.6, meaning it does NOT include the latest Node.js security patches
• Critical vulnerabilities fixed in 20.20.0:
  • CVE-2025-55131 (High): Race conditions in Uint8Array/Buffer.alloc
  • CVE-2025-55130 (High): File system permission bypass via symlinks
  • CVE-2025-59465 (High): HTTP/2 server crashes from malformed HEADERS frames
  • CVE-2025-59466 (Medium): async_hooks process crashes
  • CVE-2025-55132 (Low): fs.futimes() permission model bypass
• Source: Node.js Security Release

Breaking Changes: None - this is a Docker image rebuild with the same Node.js runtime version

🎯 Impact Scope Investigation

Usage Location Analysis:

• Single usage in api/Dockerfile:11 as the base image for the Piston API server
• The image is used to run an Express.js HTTP/1.1 server (no HTTP/2 detected)
• Application uses basic HTTP features via Express 4.22.1 and WebSocket support
• No TLS/SSL server configuration found in the codebase

Dependency Impact:

• No npm package version changes required
• All existing dependencies remain compatible
• Node.js API compatibility maintained (same 20.19.6 version)

Risk Assessment for Current Vulnerabilities:

1. HTTP/2 CVE-2025-59465: Not applicable - application uses Express with HTTP/1.1
2. TLS CVE-2026-21637: Not applicable - no TLS server implementation detected
3. File system CVE-2025-55130/55132: Low risk - Piston uses isolate sandboxing with separate namespaces and chroot
4. Buffer/async_hooks CVEs: Potential risk if untrusted code execution triggers these paths

Security Benefits from Debian 12.13:

• Critical system library updates (OpenSSL, Linux kernel, containerd)
• Reduced attack surface from base OS vulnerabilities
• Important for containerized production environments

💡 Recommended Actions

Immediate Action (This PR):

1. ✅ Merge this PR - The digest update brings critical Debian security patches with no breaking changes
2. The Node.js version remains stable at 20.19.6, maintaining full backward compatibility

Follow-up Action (Recommended):

1. Monitor for Node.js 20.20.0 Docker image: Once the official node:20.20.0-bookworm-slim image is available, update to address the 8 Node.js CVEs
2. Consider enabling Renovate to auto-update patch versions for Node.js base images
3. Priority: Medium-High (3 High severity CVEs exist in Node.js 20.19.6)

Testing Recommendations:

• Standard integration tests should pass
• No code changes required
• Container rebuild will include Debian security patches automatically

🔗 Reference Links

Security Updates:

• Debian 12.13 "Bookworm" Release
• Node.js January 2026 Security Release
• Node.js January 2026 Analysis

Docker Resources:

• Official Node.js Docker Hub
• Node.js Docker GitHub Repository

Generated by koki-develop/claude-renovate-review