September 30, 20220 mins read
Updated recommended Node.js version, examples and vulnerability scan results to reflect the up-to-date Node.js LTS releases
Choosing a Node.js Docker image may seem like a small thing, but image sizes and potential vulnerabilities can have dramatic effects on your CI/CD pipeline and security posture. So, how do you choose the best Node.js Docker image?
It can be easy to miss the potential risks of using
FROM node:latest, or just
FROM node (which is an alias for the former). This is even more true if you’re unaware of the overall security risks and sheer file size they introduce to a CI/CD pipeline.
The following is an example of a Node.js Dockerfile that is typically given as a reference in Node.js Docker image tutorials and blog posts — but this Dockerfile is highly flawed and not recommended:
FROM node WORKDIR /usr/src/app COPY . /usr/src/app RUN npm install CMD "npm" "start"
I have previously outlined and provided a step-by-step guide on 10 best practices to containerize Node.js web applications with Docker, which builds on and improves the example to achieve a production-ready Node.js Docker image.
For this post, we’ll use the contrived example above as the contents of a
Dockerfile in order to find an ideal Node.js Docker image.
Your options for a Node.js Docker image
There are actually quite a few options you could go for when building your Node.js image. They range from the official Node.js Docker image that is maintained by the core Node.js team, to the specific Node.js image tags that you could choose from within that particular Docker base image, and even other options such as building your Node.js application on top of Google’s
distroless project, or a bare-bones
scratch image provided by the Docker team.
Out of all of these options, which Node.js Docker image is ideal for you?
Let’s look at them individually to learn more about the benefits and potential risks.
Author’s note: Throughout this article, I’ll compare a point-in-time Node.js version, which was last released around August 2023 and refers to Node.js 20.5.1.
The default node image
Let's start off with the maintained
node image. It is officially maintained by the Node.js Docker team and contains several Docker base image tags, which map to different underlying distributions (Debian, Ubuntu, or Alpine) and different versions of the Node.js runtime itself. There are also specific version tags to target CPU architectures such as
arm64x8 (the new Apple M1).
The most common
node image tags for the Debian distribution, such as
buster, are themselves based on
buildpack-deps, which are maintained by another team.
What happens when you build your Node.js Docker image based on this default
node image, with just the
fastify npm dependency? We’ll use this example in place of a full application deployment for simplicity
FROM node WORKDIR /app RUN npm install fastify
From the same directory, build the image with
docker build --no-cache -t mynode . — I’ve also pulled the
node:latest image in this example so show size difference. You get the following:
1$ docker images 2REPOSITORY TAG IMAGE ID CREATED SIZE 3mynode latest aae067fb98d2 27 seconds ago 1.11GB 4node latest 3a006ce583f9 2 hours ago 1.1GB
We didn’t specify the Node.js runtime version, so
nodeis an alias to
node:latest, which right now points to Node.js version 20.5.1.
Our Docker image size is 1.11GB.
node:latestbase image makes up 1.1GB of that size.
What is the dependency and security vulnerability footprint for this latest Node.js image? We can run a container scan to find out. If you would like to follow along and run the same scans against your builds, you will need to have a free Snyk account and install the Snyk CLI which can be done with a simple `npm install -g snyk` command or by following the instructions in our documentation.
We will run
snyk container test mynode --file=Dockerfile --exclude-app-vulns, which reveals the following:
A total of 414 dependencies — these are any open source library that was detected using the operating system package manager, like
A total of 154 security issues, such as Buffer Overflows, Use After Free errors, Out-of-bounds Write, and more, were found inside those dependencies.
Do you really need
curl to be available in the Node.js image for your application? Overall, it’s not a pretty picture — having hundreds of dependencies and tooling in the Node.js Docker image, with hundreds of vulnerabilities counted towards them, the Node.js runtime featuring 7 different security vulnerabilities leaves a lot of room for potential attacks.
Node.js Docker Hub options node:buster vs node:bullseye vs node:bookworm
If you browse the available tags on Node.js Docker Hub repository, you’ll find several options for alternative Node.js image tags, including
All three of these Docker image tags are based on Debian distribution versions. The
buster image tag maps to Debian 10, which has entered its End of Life date in August 2022 through 2024 — so it's not a great choice. The
bullseye image tag maps to Debian 11, is referred to as Debian’s current "old stable" release and has an estimated end-of-life date of June 2026. Finally,
bookworm is the current “stable” release, and, as of this writing, its end of life is yet to be determined — although, based on historical cadence, it’s probably safe to assume it will be sometime in 2028.
Author's note: Because of this, you’re highly encouraged to move all new and existing Node.js Docker images from
node:buster image tags to
node:bookworm, or other suitable alternatives.
Let’s build a new Node.js Docker image based on:
If you build this Node.js Docker image tag and compare to the above results, you’ll get the exact same size, dependency count, and vulnerabilities found. The reason is that
node:bookworm all point to the same Node.js image tag being built.
Node.js image tag for slimmer images
The official Node.js Docker team also maintains an image tag that explicitly targets the tooling needed for a functional Node.js environment and nothing else.
These Node.js image tags are referred to with
slim image tag variant, such as
node:bookworm-slim, or Node.js version specific such as
Let’s build a Node.js
slim image based on Debian’s current stable release
The image size already decreased dramatically — from close to a gigabyte of container image to an image size of 260MB. Scanning its content also shows a great decline in overall software footprint, with 89 dependencies and only 28 vulnerabilities.
node:bullseye-slim is already a better starting point in terms of container image size and security posture.
An LTS Node.js Docker image
So far, our Node.js Docker images were based off of the current version of Node.js, which is Node.js 20. But according to the Node.js releases schedule, this version doesn’t enter its official
Active LTS status until October 2023.
What if we always relied on the long-term support (LTS) versions in the Node.js Docker images we’re building? Let’s update the Docker image tag accordingly and build a new Node.js image:
The slimmer Node.js LTS version (18.17.1) brings a similar number of dependencies and security vulnerabilities on the image, resulting in a slightly smaller image size of 257MB.
So, as it turns out, while you may have specific requirements to choose between
Current Node.js runtime versions, none of them significantly impacts the software footprint of the Node.js image.
Is node:alpine a better choice for a Node.js image?
The Node.js Docker team maintains a
node:alpine image tag and variants of it to match specific versions of the Alpine Linux distributions with those of the Node.js runtime.
The Alpine Linux project is often cited for its incredibly small image size, which is great because it means a smaller software footprint, and by reference, smaller vulnerabilities surface.
FROM node:alpine ...
This will yield a Docker image size of 196MB, which shaves off 64MB from the
slim Node.js images, and in the Alpine image tag — as of the day I’m writing this — there are only 17 operating system dependencies and zero security vulnerabilities were detected. This may indicate that the
alpine image tag is a good choice for a small image size and vulnerability count altogether.
node:alpine the better choice for a Node.js Docker image?
The Alpine for Node.js image variant might provide an overall small image size and even smaller vulnerabilities count. However, it’s important to recognize that the Alpine project uses musl as the implementation for the C standard library, whereas Debian’s Node.js image tags such as
slim rely on the
glibc implementation. These differences can account for performance issues, functional bugs, or potential application crashes due to the underlying C library differences. Itamar Turner-Trauring also wrote about their experience of unexpected runtime issues relating to Alpine image tags for Python Docker images.
Choosing a Node.js
alpine image tag means you are effectively choosing an unofficial Node.js runtime. The Node.js Docker team doesn’t officially support container image builds based on Alpine. As such, it states that Alpine-based image tags are experimental, may not be consistent, and makes them available from the following unofficial builds. To quote the Unofficial Builds image tags repository:
Unofficial-builds attempts to provide basic Node.js binaries for some platforms that are either not supported or only partially supported by Node.js. This project does not provide any guarantees and its results are not rigorously tested. Builds made available at nodejs.org have very high quality standards for code quality, support on the relevant platforms platforms and for timing and methods of delivery. Builds made available by unofficial-builds have minimal or no testing; the platforms may have no inclusion in the official Node.js test infrastructure. These builds are made available for the convenience of their user community but those communities are expected to assist in their maintenance.
Some notable observations with Node.js
alpine image tag compatibility are:
Yarn being incompatible (issue #1716).
If you require
node-gypfor cross-compilation of native C bindings, then Python, which is a dependency of that process, isn’t available in the Alpine image and you will have to sort it out yourself (issue #1706).
Distroless Docker Images for Node.js
The last comparison item for our benchmark is going to be Google’s distroless container images.
What is a distroless docker image?
These images are even slimmer than the
slim Node.js image tag because they only target the application and its runtime dependencies. And so, a distroless Docker image has no package manager, shell, or other general-purpose tooling dependencies, giving them a small size and vulnerability footprint.
Lucky for us, the Distroless project maintains a runtime-specific distroless Docker image for Node.js, identified as
gcr.io/distroless/nodejs20-debian11 by its complete namespace and available in Google’s container registry (that’s the
Note: While the Distroless image
gcr.io/distroless/nodejs-debian11 still exists, it is deprecated and no longer being updated. For the latest supported images, see the table in the Distroless GitHub repo.
Because the Distroless container images have no software, we can use a Docker multistage workflow to install dependencies for our container and copy them to the distroless images:
FROM node:20-bullseye-slim AS build WORKDIR/app COPY ./app RUN npm install FROM gcr.io/distroless/nodejs20-debian11 COPY --from=build/app /usr/src/app WORKDIR /usr/src/app CMD ["server.js"]
Building this distroless Docker image results in a 177MB file, which is a reduction in file size from both the
alpine image tag variants.
If you’re considering using distroless Docker images, there are some Important considerations to make:
They are based on current stable Debian release versions, meaning they’re up to date with a far out end of life expiration date, which is a great thing.
Because they are Debian-based, they rely on the glibc implementation and are less likely to surprise you with issues in production.
You will soon enough find out that the Distroless team doesn’t maintain fine-grained Node.js runtime versions. This means you need to rely on the general purpose
latesttag that will be frequently updated, or install based on the SHA256 hash of the image at a certain time.
Comparison of Node.js Docker image tags
We can refer to the following table to summarize our comparison across different Node.js Docker image tags as of August 24, 2023 when last updated:
Node.js runtime version
OS security vulnerabilities
High and Critical vulnerabilities
Node.js runtime vulnerabilities
Let’s run through the data and insights we learned through each of the different Node.js image tags and decide which is the most ideal.
If your choice of which Node.js image tag to use comes down to dev-consistency — meaning that you want to optimize for the exact same environment parity of development and production — then this may already be a lost battle. In most cases, all 3 major operating systems use a different C library implementation. Linux relies on glibc, Alpine relies on musl, and macOS has its own BSD libc implementation.
Docker image size
Sometimes, size matters. More accurately though, the goal isn’t having the smallest of size but the smallest of software footprint overall. In that case, the
slim image tags aren’t much different in size compared with their
alpine counterparts, and they’re all averaging about 211MB for a container image. Granted, the software footprint of
slim images is still quite high (89 vs
alpine’s 17), and as such, it accounts for a bigger vulnerabilities surface (28 on
Vulnerabilities are an important concern, and have been the center of many articles on why you should be reducing the size of your container images. However, the semantics of security issues matter a lot.
Leaving out the
node:bullseye images due to the larger software footprint and increased security vulnerabilities, we can focus on the smaller set of image types. Comparing between
distroless, the variation between high and critical security vulnerabilities isn’t high in absolute numbers and ranges between 0 and 2 — a manageable risk that could potentially be irrelevant to your application use-case.
Support and resilience
Ensuring that the Node.js Docker team is able to prioritize and address concerns with regard to your container image builds, and that issues are resolved in a timely manner, goes a long way. With anything that isn’t the official, Debian-based image tags, you are essentially unable to cross this off your checklist.
When using the
node:20.5.1-bookworm-slim image tags, whether you’re opting for a full operating system image or using the slimmer version of dependencies, you are still getting the latest version of the Node.js runtime. While it is an even number (Node.js 18.2.0), at the time of this writing, it still hasn’t been included in the Long Term Support lifecycle, which means it will be bundling new versions of other dependent components such as the latest versions of
npm itself (which has been known for buggy new behavior and requiring time to stabilize).
The bottom line?
The most ideal Node.js Docker image would be a slimmed-down version of the operating system, based on a modern Debian OS, with a stable and active Long Term Support version of Node.js.
This comes down to choosing the
node:lts-bullseye-slim Node.js image tag. I’m in favor of using deterministic image tags, so the slight change I’d make is to use the actual underlying version number instead of the
The most ideal Node.js Docker image tag is
If you work within a mature DevOps team that can support custom base images, my second-best recommendation would be Google’s distroless image tag, because it maintains glibc compatibility for official Node.js runtime versions. This workflow will require some maintenance though, so I’d only advise it if you can support that.