Choosing the best Node.js Docker image

Choosing a Node.js Docker image may seem like a small thing, but image sizes and potential vulnerabilities can have dramatic effects on your CI/CD pipeline and security posture. So, how do you choose the best Node.js Docker image?

It can be easy to miss the potential risks of using FROM node:latest, or just FROM node (which is an alias for the former). This is even more true if you’re unaware of the overall security risks and sheer file size they introduce to a CI/CD pipeline.

The following is an example of a Node.js Dockerfile that is typically given as a reference in Node.js Docker image tutorials and blog posts — but this Dockerfile is highly flawed and not recommended:

FROM node
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install
CMD "npm" "start"

I have previously outlined and provided a step-by-step guide on 10 best practices to containerize Node.js web applications with Docker, which builds on and improves the example to achieve a production-ready Node.js Docker image.

For this post, we’ll use the contrived example above as the contents of a Dockerfile in order to find an ideal Node.js Docker image.

Your options for a Node.js Docker image

There are actually quite a few options you could go for when building your Node.js image. They range from the official Node.js Docker image that is maintained by the core Node.js team, to the specific Node.js image tags that you could choose from within that particular Docker base image, and even other options such as building your Node.js application on top of Google’s distroless project, or a bare bones scratch image provided by the Docker team.

Out of all of these options, which Node.js Docker image is ideal for you?

Let’s take a look at them one by one to learn more about the benefits and potential risks.

Author’s note: Throughout this article, I’ll compare a point-in-time Node.js version, which was last released around June 2022 and refers to Node.js 18.2.0.

The default node image

Let's start off with the maintained node image. It is officially maintained by the Node.js Docker team and contains several Docker base image tags, which map to different underlying distributions (Debian, Ubuntu, or Alpine) as well as to different versions of the Node.js runtime itself. There are also specific version tags to target CPU architectures such as amd64 or arm64x8 (the new Apple M1).

The most common node image tags for the Debian distribution, such as bullseye or buster, are themselves based off of buildpack-deps, which are maintained by another team.

What happens when you build your Node.js Docker image based on this default node image, with just the fastify npm dependency?

FROM node

Build the image with docker build --no-cache -f Dockerfile1 -t dockerfile1, and you get the following:

• We didn’t specify the Node.js runtime version, so node is an alias to node:latest, which right now points to Node.js version 18.2.0

• The Node.js Docker image size is 952MB

What is the dependency and security vulnerability footprint for this latest Node.js image? We can run a container scan with snyk container test dockerfile1, which reveals the following:

• A total of 409 dependencies — these are any open source library that was detected using the operating system package manager, like curl/libcurl4, git/git-man, or imagemagick/imagemagick-6-common.

• A total of 289 security issues, such as Buffer Overflows, Use After Free errors, Out-of-bounds Write, and more, were found inside those dependencies.

• The Node.js 18.2.0 runtime version is vulnerable to 7 security issues such as DNS Rebinding, HTTP Request Smuggling, and Configuration Hijacking.

Do you really need wget, git, or curl to be available in the Node.js image for your application? Overall, it’s not a pretty picture — having hundreds of dependencies and tooling in the Node.js Docker image, with hundreds of vulnerabilities counted towards them, the Node.js runtime featuring 7 different security vulnerabilities leaves a lot of room for potential attacks.

Node.js Docker Hub options node:buster vs node:bullseye

If you browse the available tags on Node.js Docker Hub repository, you’ll find two options for alternative Node.js image tags — node:buster and node:bullseye.

Both of these Docker image tags are based on Debian distribution versions. The buster image tag maps to Debian 10, which enters its End of Life date in August 2022 through 2024 — so it's not a great choice. The bullseye image tag maps to Debian 11, is referred to as Debian’s current stable release, and has an estimated end of life date of June 2026.

Author's note: Because of this, you’re highly encouraged to move all new and existing Node.js Docker images from node:buster image tags to node:bullseye or other suitable alternatives.

Let’s build a new Node.js Docker image based on:

FROM node:bullseye

If you build this Node.js Docker image tag and compare to the above results, you’ll get the exact same size, dependency count, and vulnerabilities found. The reason is that node, node:latest, and node:bullseye all point to the same Node.js image tag being built.

Node.js image tag for slimmer images

The official Node.js Docker team also maintains an image tag that explicitly targets the tooling needed for a functional Node.js environment and nothing else.

These Node.js image tags are referred to with slim image tag variant, such as node:bullseye-slim, or Node.js version specific such as node:14.19.2-slim.

Let’s build a Node.js slim image based on Debian’s current stable release bullseye:

FROM node:bullseye-slim

The image size already decreased dramatically — from close to a gigabyte of container image to an image size of 246MB. Scanning its content also shows a great decline in overall software footprint, with 97 dependencies and only 56 vulnerabilities.

The node:bullseye-slim is already a better starting point in terms of container image size and security posture.

An LTS Node.js Docker image

So far, our Node.js Docker images were based off of the current version of Node.js, which is Node.js 18. But according to the Node.js releases schedule, this version doesn’t enter its official Active LTS status until October 2022.

What if we always relied on the long-term support (LTS) versions in the Node.js Docker images we’re building? Let’s update the Docker image tag accordingly and build a new Node.j image:

FROM node:lts-bullseye-slim

The slimmer Node.js LTS version (16.15.0) brings a similar number of dependencies and security vulnerabilities on the image, and a slightly smaller image size of 188MB.

So, as it turns out, while you may have specific requirements to choose between LTS and Current Node.js runtime versions, none of them significantly impacts the software footprint of the Node.js image.

Is node:alpine a better choice for a Node.js image?

The Node.js Docker team maintains a node:alpine image tag and variants of it to match specific versions of the Alpine Linux distributions with those of the Node.js runtime.

The Alpine Linux project is often cited for its incredibly small image size, which is great because it means a smaller software footprint, and by reference, smaller vulnerabilities surface. The following command instructs the Dockerfile to build a node, which at that point, will increase the uncompressed image size:

FROM node:alpine

This will yield a Docker image size of 178MB, which is relatively the same as slim Node.js images at 188MB, but in the Alpine image tag, only 16 operating system dependencies and 2 security vulnerabilities were detected in total. This may indicate that the alpine image tag is a good choice for a small image size and vulnerability count altogether.

Is node:alpine the better choice for a Node.js Docker image?

The Alpine for Node.js image variant might provide an overall small image size and even smaller vulnerabilities count. However, it’s important to recognize that the Alpine project uses musl as the implementation for the C standard library, whereas Debian’s Node.js image tags such as bullseye or slim rely on the glibc implementation. These differences can account for performance issues, functional bugs, or potential application crashes due to the underlying C library differences. Itamar Turner-Trauring also wrote about their experience of unexpected runtime issues relating to Alpine image tags for Python Docker images.

Choosing a Node.js alpine image tag means you are effectively choosing an unofficial Node.js runtime. The Node.js Docker team doesn’t officially support container image builds based on Alpine. As such, it states that Alpine-based image tags are experimental, may not be consistent, and makes them available from the following unofficial builds. To quote the Unofficial Builds image tags repository:

Unofficial-builds attempts to provide basic Node.js binaries for some platforms that are either not supported or only partially supported by Node.js. This project does not provide any guarantees and its results are not rigorously tested. Builds made available at nodejs.org have very high quality standards for code quality, support on the relevant platforms platforms and for timing and methods of delivery. Builds made available by unofficial-builds have minimal or no testing; the platforms may have no inclusion in the official Node.js test infrastructure. These builds are made available for the convenience of their user community but those communities are expected to assist in their maintenance.

Some notable observations with Node.js alpine image tag compatibility are:

• Yarn being incompatible (issue #1716).

• If you require node-gyp for cross-compilation of native C bindings, then Python, which is a dependency of that process, isn’t available in the Alpine image and you will have to sort it out yourself (issue #1706).

If you are choosing to use a Node.js docker image that's based on Alpine, one thing to keep in mind is that Docker security tooling (such as Trivy or Snyk) cannot currently detect runtime related vulnerabilities in Alpine base images. While this might change in the future, currently you will not be able to find security vulnerabilities for the Node.js 18.2.0 alpine base image tag where Node.js 18.2.0 runtime itself is actually vulnerable. This is to do with the security tooling itself, and not the Alpine base image, but a consideration you should account for nonetheless.

Distroless Docker Images for Node.js

The last comparison item for our benchmark is going to be Google’s distroless container images.

What is a distroless docker image?

These images are even slimmer than the slim Node.js image tag because they only target the application and its runtime dependencies. And so, a distroless Docker image has no container package manager, shell, or other general purpose tooling dependencies, giving them a small size and vulnerability footprint.

Lucky for us, the Distroless project maintains a runtime-specific distroless Docker image for Node.js, identified as gcr.io/distroless/nodejs-debian11 by its complete namespace and available in Google’s container registry (that’s the gcr.io part).

Because the Distroless container images have no software, we can use a Docker multistage workflow to install dependencies for our container and copy them to the distroless images:

FROM node:16-bullseye-slim AS build
WORKDIR /usr/src/app
COPY . /usr/src/app
RUN npm install

FROM gcr.io/distroless/nodejs:16
COPY --from=build /usr/src/app /usr/src/app
WORKDIR /usr/src/app
CMD ["server.js"]

Building this distroless Docker image results in a 112MB file, which is a significant reduction in file size from both the slim and alpine image tag variants.

If you’re considering using distroless Docker images, there are some Important considerations to make:

• They are based on current stable Debian release versions, meaning they’re up to date with a far out end of life expiration date, which is a great thing.

• Because they are Debian-based, they rely on the glibc implementation and are less likely to surprise you with issues in production.

• You will soon enough find out that the Distroless team doesn’t maintain fine-grained Node.js runtime versions. This means you need to rely on the general purpose nodejs:16 tag that will be frequently updated, or install based on the SHA256 hash of the image at a certain point in time.

Comparison of Node.js Docker image tags

We can refer to the following table to summarize our comparison across different Node.js Docker image tags:

Let’s run through the data and insights we learned through each of the different Node.js image tags and decide which is the most ideal.

Development-parity

If your choice of which Node.js image tag to use comes down to dev-consistency — meaning that you want to optimize for the exact same environment parity of development and production — then this may already be a lost battle. In most cases, all 3 major operating systems use a different C library implementation. Linux relies on glibc, Alpine relies on musl, and macOS has its own BSD libc implementation.

Docker image size

Sometimes, size matters. More accurately though, the goal isn’t having the smallest of size but the smallest of software footprint overall. In that case, the slim image tags aren’t much different in size compared with their alpine counterparts, and they’re both averaging about 200MB for a container image. Granted, the software footprint of slim images is still quite high (97 vs alpine’s 16), and as such, it accounts for a bigger vulnerabilities surface (56 on `slim` vs `2` for `alpine`).

Security vulnerabilities

Vulnerabilities are an important concern, and have been the center of many articles on why you should be reducing the size of your container images. However, the semantics of security issues matter a lot.

Leaving out the node and node:bullseye images due to the larger software footprint and increased security vulnerabilities, we can focus on the smaller set of image types. Comparing between slim, alpine, and distroless, the variation between high and critical security vulnerabilities isn’t high in absolute numbers and ranges between 0 and 4 — a manageable risk that could potentially be irrelevant to your application use-case.

Support and resilience

Ensuring that the Node.js Docker team is able to prioritize and address concerns with regard to your container image builds, and that issues are resolved in a timely manner, goes a long way. With anything that isn’t the official, Debian-based image tags, you are essentially unable to cross this off your checklist.

When using the node or node:bullseye-slim image tags, whether you’re opting for a full operating system image or using the slimmer version of dependencies, you are still getting the latest version of the Node.js runtime. While it is an even number (Node.js 18.2.0), at the time of this writing, it still hasn’t been included in the Long Term Support lifecycle, which means it will be bundling new versions of other dependent components such as the latest versions of npm itself (which has been known for buggy new behavior and requiring time to stabilize).

The bottom line?

The most ideal Node.js Docker image would be a slimmed-down version of the operating system, based on a modern Debian OS, with a stable and active Long Term Support version of Node.js.

This comes down to choosing the node:lts-bullseye-slim Node.js image tag. I’m in favor of using deterministic image tags, so the slight change I’d make is to use the actual underlying version number instead of the lts alias.

The most ideal Node.js Docker image tag is node:16.17.0-bullseye-slim.

If you work within a mature DevOps team that can support custom base images, my second-best recommendation would be Google’s distroless image tag, because it maintains glibc compatibility for official Node.js runtime versions. This workflow will require some maintenance though, so I’d only advise it if you can support that.