fixed vulnerabilities

.github/workflows/ci.yaml

@@ -18,12 +18,15 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "22"
           cache: "npm"
 
       - name: Install dependencies
         run: npm ci
 
+      - name: Security audit
+        run: npm audit --audit-level=high --omit=dev
+
       - name: Run linter
         run: npm run lint --if-present
 
@@ -48,10 +51,20 @@ jobs:
         with:
           context: .
           push: false
+          load: true
           tags: opsctrl/daemon:ci-${{ github.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Scan image for vulnerabilities
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: opsctrl/daemon:ci-${{ github.sha }}
+          format: table
+          exit-code: 1
+          severity: CRITICAL,HIGH
+          ignore-unfixed: true
+
   helm-lint:
     runs-on: ubuntu-latest
     steps:

Dockerfile

@@ -27,6 +27,9 @@ RUN npm run build
 # Stage 2: Production stage
 FROM node:22-alpine AS production
 
+# Update npm to fix glob vulnerability in bundled npm
+RUN npm install -g npm@11.6.4
+
 # Create non-root user for security
 RUN addgroup -g 1001 -S opsctrl && \
     adduser -S opsctrl -u 1001 -G opsctrl