From f301e434eeb628e2e6345bb2cd212cf06d630d1c Mon Sep 17 00:00:00 2001
From: "n8n-cat-bot[bot]" <283985454+n8n-cat-bot[bot]@users.noreply.github.com>
Date: Thu, 4 Jun 2026 20:37:00 +0100
Subject: [PATCH] build: Pin node24/alpine3.22 base images to digests in Docker
 build (#31772)

Co-authored-by: n8n-cat-bot[bot] <n8n-cat-bot[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
---
 docker/images/n8n-base/Dockerfile | 4 +++-
 docker/images/n8n/Dockerfile      | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/docker/images/n8n-base/Dockerfile b/docker/images/n8n-base/Dockerfile
index e838faff902..2ee463493b3 100644
--- a/docker/images/n8n-base/Dockerfile
+++ b/docker/images/n8n-base/Dockerfile
@@ -1,6 +1,8 @@
 ARG NODE_VERSION=24.15.0
 
-FROM dhi.io/node:${NODE_VERSION}-alpine3.22-dev
+# Pinned to multi-arch index digest (linux/amd64 + linux/arm64) for reproducible builds.
+# Bump the digest together with the tag when updating the base image.
+FROM dhi.io/node:24.15.0-alpine3.22-dev@sha256:a7eead704e9bd2d7a4c1b52cf595848f180365eba7c15a185ce1c3a690c1a19d
 
 ARG NODE_VERSION
 
diff --git a/docker/images/n8n/Dockerfile b/docker/images/n8n/Dockerfile
index 4b6a018b467..6b7d5e6a948 100644
--- a/docker/images/n8n/Dockerfile
+++ b/docker/images/n8n/Dockerfile
@@ -2,7 +2,9 @@ ARG NODE_VERSION=24.15.0
 ARG N8N_VERSION=snapshot
 
 # Builder stage exists because the runtime base image has no toolchain.
-FROM node:${NODE_VERSION}-alpine3.22 AS builder
+# Pinned to multi-arch index digest (linux/amd64 + linux/arm64) for reproducible builds.
+# Bump the digest together with the tag when updating the base image.
+FROM node:24.15.0-alpine3.22@sha256:b689d4005875ae167178471a7a622ec2909459a3bbb32277260be1971af7a99f AS builder
 COPY ./compiled /usr/local/lib/node_modules/n8n
 RUN apk add --no-cache python3 make g++ && \
     cd /usr/local/lib/node_modules/n8n && \