[Snyk] Security upgrade node from 20.5.0-alpine to 20.11.1-alpine

[SPAHI4]

This PR was automatically created by Snyk using the credentials of a real user.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Changes included in this PR

• worker/Dockerfile

We recommend upgrading to node:20.11.1-alpine, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Some of the most important vulnerabilities in your base image include:

Severity	Priority Score / 1000	Issue	Exploit Maturity
	614	CVE-2023-5363 SNYK-ALPINE318-OPENSSL-6032386	No Known Exploit
	621	Improper Access Control SNYK-UPSTREAM-NODE-5843454	Proof of Concept
	614	Allocation of Resources Without Limits or Throttling SNYK-UPSTREAM-NODE-6252328	No Known Exploit
	621	Path Traversal SNYK-UPSTREAM-NODE-6252334	Proof of Concept
	721	Path Traversal SNYK-UPSTREAM-NODE-6255385	Proof of Concept

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Path Traversal
🦉 Improper Access Control
🦉 Allocation of Resources Without Limits or Throttling

[github-actions]

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Validation 🤖success

Validation Output

Success! The configuration is valid.

Terraform Plan 📖success

Show Plan

terraform
data.cloudflare_ip_ranges.cloudflare: Reading...
data.template_file.db_init: Reading...
data.cloudflare_zone.default: Reading...
data.template_file.db_init: Read complete after 0s [id=9cfd5507d4ab0bcbba8622726474c10224cf2e0e5cb380fe5a8a7ce27df754e7]
data.cloudflare_ip_ranges.cloudflare: Read complete after 0s [id=2749251940]
data.cloudflare_zone.default: Read complete after 0s [id=912714793d16044d3fce7b01eedf537f]
cloudflare_worker_script.client: Refreshing state... [id=production__client]
cloudflare_page_rule.sitemap_redirect: Refreshing state... [id=102cbfc89f7fb42c3b66e25877d2464f]
data.aws_ami.amazon_linux: Reading...
aws_iam_role.ec2_instance: Refreshing state... [id=production__ec2_instance]
aws_default_subnet.default: Refreshing state... [id=subnet-0016e0ee7efc40856]
aws_security_group.allow_ec2_ssh: Refreshing state... [id=sg-0079c501834fe8b3c]
aws_security_group.allow_rds: Refreshing state... [id=sg-0a121ef3886ca5c25]
aws_key_pair.deployer: Refreshing state... [id=prod-deployer-key]
aws_s3_bucket.client: Refreshing state... [id=spahi4.me]
aws_s3_bucket.image-storage: Refreshing state... [id=spahi4-photo-images-prod]
aws_security_group.allow_ec2: Refreshing state... [id=sg-06addd6a0400c0f63]
aws_db_parameter_group.default: Refreshing state... [id=production-photo-app-db]
data.aws_ecr_repository.ecr_repository: Reading...
cloudflare_worker_route.client: Refreshing state... [id=2deaba8b7cfa4e1c87141f080d8d31ce]
aws_iam_instance_profile.instance: Refreshing state... [id=production_instance_profile]
aws_iam_role_policy.ecr_policy: Refreshing state... [id=production__ec2_instance:production_ecr_policy]
data.aws_ami.amazon_linux: Read complete after 0s [id=ami-008f8b1de678e93a6]
data.aws_ecr_repository.ecr_repository: Read complete after 1s [id=spahi4-photo-app]
aws_db_instance.default: Refreshing state... [id=db-EDU3COYGKMHFJV4PMSJAAPYH3I]
null_resource.db_init: Refreshing state... [id=8660641436548500519]
aws_s3_bucket_public_access_block.image-storage: Refreshing state... [id=spahi4-photo-images-prod]
aws_s3_bucket_versioning.image-storage: Refreshing state... [id=spahi4-photo-images-prod]
aws_s3_bucket_ownership_controls.image-storage: Refreshing state... [id=spahi4-photo-images-prod]
aws_s3_bucket_cors_configuration.image-storage: Refreshing state... [id=spahi4-photo-images-prod]
aws_iam_policy.image_storage_policy: Refreshing state... [id=arn:aws:iam::851893752920:policy/production_S3UploadPolicy]
aws_instance.app: Refreshing state... [id=i-05ba63d19cd20d732]
aws_s3_bucket_public_access_block.client: Refreshing state... [id=spahi4.me]
aws_s3_bucket_website_configuration.client: Refreshing state... [id=spahi4.me]
data.aws_iam_policy_document.s3_bucket_policy_public: Reading...
data.aws_iam_policy_document.s3_bucket_policy_public: Read complete after 0s [id=1563853790]
aws_iam_policy_attachment.instance_s3_upload_attachment: Refreshing state... [id=production_InstanceS3UploadAttachment]
aws_s3_bucket_policy.client_policy: Refreshing state... [id=spahi4.me]
cloudflare_record.s3_website: Refreshing state... [id=cc316305dc17947b396284e8c7927f7e]
aws_eip.app: Refreshing state... [id=eipalloc-051f80094fe233d32]
cloudflare_record.ecs_api: Refreshing state... [id=cb8d5bf8aad2ae97a1c5bcc133aaf88a]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # data.template_file.environment will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "template_file" "environment" {
      + id       = (known after apply)
      + rendered = (known after apply)
      + template = <<-EOT
            DEPLOYMENT=${deployment}
            NODE_ENV=production
            
            DATABASE_URL=${database_url}
            ROOT_DATABASE_URL=${root_database_url}
            S3_BUCKET_REGION=${s3_bucket_region}
            S3_BUCKET_NAME=${s3_bucket_name}
            
            API_ORIGIN=${api_origin}
            API_PORT=${api_port}
            WEB_ORIGIN=${web_origin}
            
            JWT_PUBLIC_KEY=${jwt_public_key}
            JWT_SECRET_KEY=${jwt_secret_key}
            
            SSL_CERT=${ssl_cert}
            SSL_KEY=${ssl_key}
            
            GOOGLE_REFRESH_TOKEN=${google_refresh_token}
            
            INSTALLED_GOOGLE_CLIENT_ID=${installed_google_client_id}
            INSTALLED_GOOGLE_CLIENT_SECRET=${installed_google_client_secret}
            INSTALLED_GOOGLE_REDIRECT_URI=${installed_google_redirect_uri}
            
            WEB_GOOGLE_CLIENT_ID=${web_google_client_id}
            WEB_GOOGLE_CLIENT_SECRET=${web_google_client_secret}
            WEB_GOOGLE_REDIRECT_URI=${web_google_redirect_uri}
        EOT
      + vars     = {
          + "api_origin"                     = "https://api.spahi4.me"
          + "api_port"                       = "443"
          + "database_url"                   = (sensitive value)
          + "deployment"                     = "production"
          + "google_refresh_token"           = (sensitive value)
          + "installed_google_client_id"     = (sensitive value)
          + "installed_google_client_secret" = (sensitive value)
          + "installed_google_redirect_uri"  = (sensitive value)
          + "jwt_public_key"                 = (sensitive value)
          + "jwt_secret_key"                 = (sensitive value)
          + "root_database_url"              = (sensitive value)
          + "s3_bucket_name"                 = "spahi4-photo-images-prod"
          + "s3_bucket_region"               = "eu-north-1"
          + "ssl_cert"                       = (sensitive value)
          + "ssl_key"                        = (sensitive value)
          + "web_google_client_id"           = (sensitive value)
          + "web_google_client_secret"       = (sensitive value)
          + "web_google_redirect_uri"        = (sensitive value)
          + "web_origin"                     = "https://spahi4.me"
        }
    }

  # data.template_file.init will be read during apply
  # (config refers to values not yet known)
 <= data "template_file" "init" {
      + id       = (known after apply)
      + rendered = (known after apply)
      + template = <<-EOT
            #!/bin/bash
            yum update -y
            amazon-linux-extras install -y docker
            service docker start
            usermod -a -G docker ec2-user
            chkconfig docker on
            echo "${env}" > /home/environment.env
            
            aws ecr get-login-password --region ${aws_region} | docker login --username AWS --password-stdin ${repository_url}
            
            docker pull ${repository_url}:server-"${git_sha}"
            docker pull ${repository_url}:worker-"${git_sha}"
            docker pull ${repository_url}:migrate-"${git_sha}"
            
            docker run -d -p 443:443 --restart=always \
              --env-file /home/environment.env \
              "${repository_url}":server-"${git_sha}"
            
            sudo docker run -d --restart=always \
                --env-file /home/environment.env \
              ${repository_url}:worker-"${git_sha}"
            
            sudo docker run -d \
                --env-file /home/environment.env \
              ${repository_url}:migrate-"${git_sha}"
        EOT
      + vars     = {
          + "aws_region"     = "eu-north-1"
          + "env"            = (known after apply)
          + "git_sha"        = "f875977f2662b13eea3299503284c790cf88b928"
          + "repository_url" = "851893752920.dkr.ecr.eu-north-1.amazonaws.com/spahi4-photo-app"
        }
    }

  # aws_db_instance.default will be updated in-place
  ~ resource "aws_db_instance" "default" {
      ~ engine_version                        = "15.5" -> "15.3"
        id                                    = "db-EDU3COYGKMHFJV4PMSJAAPYH3I"
        tags                                  = {
            "Name" = "photo-app-production"
        }
        # (51 unchanged attributes hidden)
    }

  # aws_eip.app will be updated in-place
  ~ resource "aws_eip" "app" {
        id                   = "eipalloc-051f80094fe233d32"
      ~ instance             = "i-05ba63d19cd20d732" -> (known after apply)
        tags                 = {}
        # (12 unchanged attributes hidden)
    }

  # aws_instance.app must be replaced
-/+ resource "aws_instance" "app" {
      ~ ami                                  = "ami-0c25aa580e098d764" -> "ami-008f8b1de678e93a6" # forces replacement
      ~ arn                                  = "arn:aws:ec2:eu-north-1:851893752920:instance/i-05ba63d19cd20d732" -> (known after apply)
      ~ associate_public_ip_address          = true -> (known after apply)
      ~ availability_zone                    = "eu-north-1b" -> (known after apply)
      ~ cpu_core_count                       = 1 -> (known after apply)
      ~ cpu_threads_per_core                 = 2 -> (known after apply)
      ~ disable_api_stop                     = false -> (known after apply)
      ~ disable_api_termination              = false -> (known after apply)
      ~ ebs_optimized                        = false -> (known after apply)
      - hibernation                          = false -> null
      + host_id                              = (known after apply)
      + host_resource_group_arn              = (known after apply)
      ~ id                                   = "i-05ba63d19cd20d732" -> (known after apply)
      ~ instance_initiated_shutdown_behavior = "stop" -> (known after apply)
      + instance_lifecycle                   = (known after apply)
      ~ instance_state                       = "running" -> (known after apply)
      ~ ipv6_address_count                   = 0 -> (known after apply)
      ~ ipv6_addresses                       = [] -> (known after apply)
      ~ monitoring                           = false -> (known after apply)
      + outpost_arn                          = (known after apply)
      + password_data                        = (known after apply)
      + placement_group                      = (known after apply)
      ~ placement_partition_number           = 0 -> (known after apply)
      ~ primary_network_interface_id         = "eni-08dc90dfa8f8fb0ee" -> (known after apply)
      ~ private_dns                          = "ip-172-31-47-74.eu-north-1.compute.internal" -> (known after apply)
      ~ private_ip                           = "172.31.47.74" -> (known after apply)
      ~ public_dns                           = "ec2-16-171-246-92.eu-north-1.compute.amazonaws.com" -> (known after apply)
      ~ public_ip                            = "16.171.246.92" -> (known after apply)
      ~ secondary_private_ips                = [] -> (known after apply)
      ~ security_groups                      = [
          - "prod-allow_ec2",
          - "prod-allow_ec2_ssh",
          - "prod-allow_rds",
        ] -> (known after apply)
      + spot_instance_request_id             = (known after apply)
      ~ subnet_id                            = "subnet-0de5ef889581dad5d" -> (known after apply)
        tags                                 = {
            "Name" = "photo-app-production"
        }
      ~ tenancy                              = "default" -> (known after apply)
      ~ user_data                            = "463e9e93d7c7dc13b89bfbc7287bfdfbb3af8d92" # forces replacement -> (known after apply) # forces replacement
      + user_data_base64                     = (known after apply)
        # (8 unchanged attributes hidden)

      - capacity_reservation_specification {
          - capacity_reservation_preference = "open" -> null
        }

      - cpu_options {
          - core_count       = 1 -> null
          - threads_per_core = 2 -> null
        }

      - credit_specification {
          - cpu_credits = "unlimited" -> null
        }

      - enclave_options {
          - enabled = false -> null
        }

      - maintenance_options {
          - auto_recovery = "default" -> null
        }

      - metadata_options {
          - http_endpoint               = "enabled" -> null
          - http_protocol_ipv6          = "disabled" -> null
          - http_put_response_hop_limit = 1 -> null
          - http_tokens                 = "optional" -> null
          - instance_metadata_tags      = "disabled" -> null
        }

      - private_dns_name_options {
          - enable_resource_name_dns_a_record    = false -> null
          - enable_resource_name_dns_aaaa_record = false -> null
          - hostname_type                        = "ip-name" -> null
        }

      - root_block_device {
          - delete_on_termination = true -> null
          - device_name           = "/dev/xvda" -> null
          - encrypted             = false -> null
          - iops                  = 100 -> null
          - tags                  = {} -> null
          - throughput            = 0 -> null
          - volume_id             = "vol-0d5e448bd9c95811d" -> null
          - volume_size           = 8 -> null
          - volume_type           = "gp2" -> null
        }
    }

Plan: 1 to add, 2 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

Pusher: @SPAHI4, Action: pull_request, Working Directory: terraform, Workflow: Lint & Tests