Apply a bunch of updates

Author: lightswitch05

.github/workflows/auto-updates.yml

@@ -13,16 +13,16 @@ jobs:
     run-updates:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
               with:
                   ref: master
                   fetch-depth: 10
                   token: ${{ secrets.GH_PAT }}
 
-            - name: Use Node.js 18.x
-              uses: actions/setup-node@v3
+            - name: Use Node.js 22.x
+              uses: actions/setup-node@v4
               with:
-                  node-version: 18.x
+                  node-version: 22.x
                   registry-url: 'https://registry.npmjs.org'
 
             - name: Change origin to bypass gh-pages issues with actions
@@ -34,7 +34,7 @@ jobs:
               run: npm ci
 
             - name: Cache downloaded files
-              uses: actions/cache@v2
+              uses: actions/cache@v4
               with:
                   path: ${{ github.workspace }}/tmp
                   key: ${{ runner.os }}-node-version-audit-${{ hashFiles('**/docs/rules-v1.json') }}
@@ -53,25 +53,28 @@ jobs:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             - run: ./scripts/github-commit-auto-updates.sh
 
-            - uses: docker/setup-qemu-action@v1
-            - uses: docker/setup-buildx-action@v1
-            - uses: docker/login-action@v1
+            - uses: docker/setup-qemu-action@v3
+            - uses: docker/setup-buildx-action@v3
+            - uses: docker/login-action@v3
               with:
                   username: lightswitch05
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
-            - uses: docker/login-action@v1
+            - uses: docker/login-action@v3
               with:
                   registry: ghcr.io
                   username: lightswitch05
                   password: ${{ secrets.GITHUB_TOKEN }}
             - name: Build and push
-              uses: docker/build-push-action@v2
+              uses: docker/build-push-action@v6
               with:
                   push: true
+                  pull: true
+                  cache-from: type=registry,ref=lightswitch05/node-version-audit:latest-cache
+                  cache-to: type=registry,ref=lightswitch05/node-version-audit:latest-cache,mode=max
                   context: ./
                   platforms: linux/amd64, linux/arm64
                   build-args: |
-                      NODE_IMAGE_TAG=18
+                      NODE_IMAGE_TAG=22
                   file: ./docker/Dockerfile
                   tags: |
                       lightswitch05/node-version-audit:latest

.github/workflows/codeql.yml

@@ -38,11 +38,11 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v3
+              uses: actions/checkout@v4
 
             # Initializes the CodeQL tools for scanning.
             - name: Initialize CodeQL
-              uses: github/codeql-action/init@v2
+              uses: github/codeql-action/init@v3
               with:
                   languages: ${{ matrix.language }}
                   # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +53,7 @@ jobs:
             # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
             # If this step fails, then you should remove it and run the build manually (see below)
             - name: Autobuild
-              uses: github/codeql-action/autobuild@v2
+              uses: github/codeql-action/autobuild@v3
 
             # ℹ️ Command-line programs to run using the OS shell.
             # 📚 https://git.io/JvXDl
@@ -67,4 +67,4 @@ jobs:
             #   make release
 
             - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v2
+              uses: github/codeql-action/analyze@v3

.github/workflows/tests.yml

@@ -15,16 +15,16 @@ jobs:
                 node-version: [18.x, 20.x, 22.x]
 
         env:
-            IS_PRIMARY_VERSION: ${{ matrix.node-version == '18.x' }}
+            IS_PRIMARY_VERSION: ${{ matrix.node-version == '22.x' }}
             PUBLISH: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
 
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@v4
               with:
                   fetch-depth: 0
 
             - name: Use Node.js ${{ matrix.node-version }}
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v4
               with:
                   node-version: ${{ matrix.node-version }}
                   registry-url: 'https://registry.npmjs.org'

README.md

@@ -16,32 +16,32 @@ list of CVE exploits, new releases, and end of life dates.
 **Node Version Audit is not:** exploit detection/mitigation, vendor-specific version tracking, a replacement for
 staying informed on Node.js releases and security exploits.
 
-> -   [Features](#features)
-> -   [Example](#example)
-> -   [Usage](#usage)
->     -   [CLI](#cli)
->     -   [Docker](#docker)
->     -   [Direct Invocation](#direct-invocation)
->     -   [JSON Rules](#json-rules)
->     -   [Options](#options)
-> -   [Output](#output)
-> -   [Project Goals](#project-goals)
-> -   [Acknowledgments & License](#acknowledgments--license)
+> - [Features](#features)
+> - [Example](#example)
+> - [Usage](#usage)
+>     - [CLI](#cli)
+>     - [Docker](#docker)
+>     - [Direct Invocation](#direct-invocation)
+>     - [JSON Rules](#json-rules)
+>     - [Options](#options)
+> - [Output](#output)
+> - [Project Goals](#project-goals)
+> - [Acknowledgments & License](#acknowledgments--license)
 
 ## Features:
 
--   List known CVEs for a given version of Node.js
--   Check either the runtime version of Node.js, or a supplied version
--   Display end-of-life dates for a given version of Node.js
--   Display new releases for a given version of Node.js with configurable specificity (latest/minor/patch)
-    -   Patch: 16.13.0 -> 16.13.2
-    -   Minor: 16.13.0 -> 16.14.2
-    -   Latest: 16.13.0 -> 17.9.0
--   Rules automatically updated daily. Information is sourced directly from nodejs.org - you'll never be waiting on someone like me to merge a pull request before getting the latest patch information.
--   Multiple interfaces: CLI (via NPM), Docker, direct code import
--   Easily scriptable for use with CI/CD workflows. All Docker/CLI outputs are in JSON format to be consumed with your favorite tools - such as [jq](https://stedolan.github.io/jq/)
--   Configurable exit conditions. Use CLI flags like `--fail-security` to set a failure exit code if the given version of Node.js has a known CVE or is no longer supported.
--   Zero dependencies
+- List known CVEs for a given version of Node.js
+- Check either the runtime version of Node.js, or a supplied version
+- Display end-of-life dates for a given version of Node.js
+- Display new releases for a given version of Node.js with configurable specificity (latest/minor/patch)
+    - Patch: 16.13.0 -> 16.13.2
+    - Minor: 16.13.0 -> 16.14.2
+    - Latest: 16.13.0 -> 17.9.0
+- Rules automatically updated daily. Information is sourced directly from nodejs.org - you'll never be waiting on someone like me to merge a pull request before getting the latest patch information.
+- Multiple interfaces: CLI (via NPM), Docker, direct code import
+- Easily scriptable for use with CI/CD workflows. All Docker/CLI outputs are in JSON format to be consumed with your favorite tools - such as [jq](https://stedolan.github.io/jq/)
+- Configurable exit conditions. Use CLI flags like `--fail-security` to set a failure exit code if the given version of Node.js has a known CVE or is no longer supported.
+- Zero dependencies
 
 ## Example:
 
@@ -141,37 +141,37 @@ Get the latest Node.js 17 release version directly from the rules using [curl](h
 
 ### Output
 
--   auditVersion: string - The version of Node.js that is being audited.
--   hasVulnerabilities: bool - If the auditVersion has any known CVEs or not.
--   hasSupport: bool - If the auditVersion is still receiving support.
--   supportType: string - The current support status of auditVersion: 'current'|'active'|'maintenance'|'none'.
--   isLatestPatchVersion: bool - If auditVersion is the latest patch-level release (17.9.x).
--   isLatestMinorVersion: bool - If auditVersion is the latest minor-level release (17.x.x).
--   isLatestVersion: bool - If auditVersion is the latest release (x.x.x).
--   latestPatchVersion: string - The latest patch-level version for auditVersion.
--   latestMinorVersion: string - The latest minor-level version for auditVersion.
--   latestVersion: string - The latest Node.js version.
--   activeSupportEndDate: string|null - ISO8601 formatted date for the end of active support for auditVersion.
--   supportEndDate: string|null - ISO8601 formatted date for the end of maintenance support for auditVersion.
--   rulesLastUpdatedDate: string - ISO8601 formatted date for the last time the rules were auto-updated.
--   vulnerabilities: object - CVEs known to affect auditVersion with details about the CVE. CVE Details might be null for recently discovered CVEs.
+- auditVersion: string - The version of Node.js that is being audited.
+- hasVulnerabilities: bool - If the auditVersion has any known CVEs or not.
+- hasSupport: bool - If the auditVersion is still receiving support.
+- supportType: string - The current support status of auditVersion: 'current'|'active'|'maintenance'|'none'.
+- isLatestPatchVersion: bool - If auditVersion is the latest patch-level release (17.9.x).
+- isLatestMinorVersion: bool - If auditVersion is the latest minor-level release (17.x.x).
+- isLatestVersion: bool - If auditVersion is the latest release (x.x.x).
+- latestPatchVersion: string - The latest patch-level version for auditVersion.
+- latestMinorVersion: string - The latest minor-level version for auditVersion.
+- latestVersion: string - The latest Node.js version.
+- activeSupportEndDate: string|null - ISO8601 formatted date for the end of active support for auditVersion.
+- supportEndDate: string|null - ISO8601 formatted date for the end of maintenance support for auditVersion.
+- rulesLastUpdatedDate: string - ISO8601 formatted date for the last time the rules were auto-updated.
+- vulnerabilities: object - CVEs known to affect auditVersion with details about the CVE. CVE Details might be null for recently discovered CVEs.
 
 ## Project Goals:
 
--   Always use update-to-date information and fail if it becomes too stale. Since this tool is designed to help its users stay informed, it must in turn fail if it becomes outdated.
--   Fail if the requested information is unavailable. ex. auditing an unknown version of Node.js like 12.50.0, or 0.9.0. Again, since this tool is designed to help its users stay informed, it must in turn fail if the requested information is unavailable.
--   Work in both open and closed networks (as long as the tool is up-to-date).
--   Minimal footprint and dependencies (no runtime dependencies).
--   Runtime support for the oldest supported version of Node.js. If you are using this tool with an unsupported version of Node.js, then you already have all the answers that this tool can give you: Yes, you have vulnerabilities and are out of date. Of course that is just for the run-time, it is still the goal of this project to supply information about any reasonable version of Node.js.
+- Always use update-to-date information and fail if it becomes too stale. Since this tool is designed to help its users stay informed, it must in turn fail if it becomes outdated.
+- Fail if the requested information is unavailable. ex. auditing an unknown version of Node.js like 12.50.0, or 0.9.0. Again, since this tool is designed to help its users stay informed, it must in turn fail if the requested information is unavailable.
+- Work in both open and closed networks (as long as the tool is up-to-date).
+- Minimal footprint and dependencies (no runtime dependencies).
+- Runtime support for the oldest supported version of Node.js. If you are using this tool with an unsupported version of Node.js, then you already have all the answers that this tool can give you: Yes, you have vulnerabilities and are out of date. Of course that is just for the run-time, it is still the goal of this project to supply information about any reasonable version of Node.js.
 
 ## Acknowledgments & License
 
--   This project is released under the [Apache License 2.0](https://raw.githubusercontent.com/lightswitch05/node-version-audit/master/LICENSE).
--   The accuracy of the information provided by this project cannot be verified or guaranteed. All functions are provided as convenience only and should not be relied on for accuracy or punctuality.
--   The logo was created using Mathias Pettersson and Brian Hammond's [Node.js Logo](https://nodejs.org/en/about/resources/#logo-downloads) as the base image. The logo has been modified from its original form to include overlay graphics.
--   This project and the use of the modified Node.js logo is not endorsed by Mathias Pettersson or Brian Hammond.
--   This project and the use of the Node.js name is not endorsed by OpenJS Foundation.
--   CVE details and descriptions are downloaded from National Institute of Standard and Technology's [National Vulnerability Database](https://nvd.nist.gov/). This project and the use of CVE information is not endorsed by NIST or the NVD. CVE details are provided as convenience only. The accuracy of the information cannot be verified.
--   Node.js release details and support dates are generated from [Changelogs](https://github.com/nodejs/node/tree/master/doc/changelogs) and the [Release Schedule](https://github.com/nodejs/Release/blob/main/schedule.json). The accuracy of the information cannot be verified.
+- This project is released under the [Apache License 2.0](https://raw.githubusercontent.com/lightswitch05/node-version-audit/master/LICENSE).
+- The accuracy of the information provided by this project cannot be verified or guaranteed. All functions are provided as convenience only and should not be relied on for accuracy or punctuality.
+- The logo was created using Mathias Pettersson and Brian Hammond's [Node.js Logo](https://nodejs.org/en/about/resources/#logo-downloads) as the base image. The logo has been modified from its original form to include overlay graphics.
+- This project and the use of the modified Node.js logo is not endorsed by Mathias Pettersson or Brian Hammond.
+- This project and the use of the Node.js name is not endorsed by OpenJS Foundation.
+- CVE details and descriptions are downloaded from National Institute of Standard and Technology's [National Vulnerability Database](https://nvd.nist.gov/). This project and the use of CVE information is not endorsed by NIST or the NVD. CVE details are provided as convenience only. The accuracy of the information cannot be verified.
+- Node.js release details and support dates are generated from [Changelogs](https://github.com/nodejs/node/tree/master/doc/changelogs) and the [Release Schedule](https://github.com/nodejs/Release/blob/main/schedule.json). The accuracy of the information cannot be verified.
 
 Copyright © 2022 Daniel White

docker/Dockerfile

@@ -1,18 +1,24 @@
 ARG NODE_IMAGE_TAG
-FROM node:${NODE_IMAGE_TAG} as builder
+FROM scratch AS files
 WORKDIR /opt/node-version-audit
-COPY ./docker/docker-entrypoint.sh ./docker/docker-entrypoint.sh
-ADD ./package-lock.json .
-ADD ./package.json .
+# none of these files change often
 ADD ./lib ./lib/
 ADD ./bin ./bin/
-ADD ./docs/rules-v1.json ./docs/
+
+FROM node:${NODE_IMAGE_TAG} AS builder
 ENV NODE_ENV=production
-RUN npm install --production
+WORKDIR /opt/node-version-audit
+ADD ./package-lock.json .
+ADD ./package.json .
+RUN npm ci --omit=dev
 
 FROM node:${NODE_IMAGE_TAG}
 WORKDIR /opt/node-version-audit
 ENV NVA_REQUIRE_VERSION_ARG=true
 ENV NODE_ENV=production
-COPY --from=builder /opt/node-version-audit /opt/node-version-audit
+COPY ./docker/docker-entrypoint.sh ./docker/docker-entrypoint.sh
 ENTRYPOINT ["/opt/node-version-audit/docker/docker-entrypoint.sh"]
+COPY --link --from=builder /opt/node-version-audit /opt/node-version-audit
+COPY --link --from=files /opt/node-version-audit /opt/node-version-audit
+# this is the only file that changes regularly
+COPY ./docs/rules-v1.json ./docs/