node 20

Runtime · Language runtime · standard · v20

0 fixable CVEs nonroot cosign signed SPDX SBOM SLSA provenance amd64 · arm64

Hardened Node.js runtime + npm. Active LTS lines (20/22/24).

Version line

24 · latest 22 20

The latest line lives at the base page; older lines have their own page so you can pin and verify exactly that version.

Image

ghcr.io/quenchworks/images/node:20

Signed

cosign keyless

SBOM

SPDX, on digest

Provenance

SLSA build

Architectures

amd64, arm64

Runs as

nonroot (uid 1001)

Image size

49.5 MB

SBOM packages

185

Last rebuilt

2026-06-12

Use it as a base image

Reference it in the FROM line of your Dockerfile. Nonroot, read-only root filesystem, built for amd64 and arm64.

FROM ghcr.io/quenchworks/images/node:20

Or pull it directly

docker pull ghcr.io/quenchworks/images/node:20

Version line: 20
Latest line: 20, 22, 24
Architectures: amd64, arm64
Runs as: nonroot (uid 1001)
Root filesystem: read-only
License: MIT

Verify the supply chain

This image is cosign-signed and carries an SPDX SBOM and a SLSA build-provenance attestation on the same digest. Check all three before you build on it:

# 1. signature — built and signed by QuenchWorks CI
cosign verify ghcr.io/quenchworks/images/node:20 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

# 2. SLSA build provenance — which workflow built it, from what
gh attestation verify oci://ghcr.io/quenchworks/images/node:20 --owner quenchworks

# 3. SPDX SBOM — the package inventory
gh attestation verify oci://ghcr.io/quenchworks/images/node:20 --owner quenchworks \
  --predicate-type https://spdx.dev/Document

See the SBOM & provenance guide for reading the SBOM and using these checks in CI.

Build a Node app → Image source

Best-practice Dockerfile for 20

The four-stage pnpm pattern: a shared base, a prod-only dependency stage, a build stage with the full dependency set, and a slim final stage that ships only the production node_modules and the built dist.

ghcr.io/quenchworks/images/node:20 49.5 MB rebuilt 3 days ago 185 SBOM pkgs

1
# Base: a common starting point for the dependency and build stages.
2
FROM ghcr.io/quenchworks/images/node:20 AS base
3
WORKDIR /app
4
ENV PNPM_HOME=/tmp/pnpm \
5
    npm_config_cache=/tmp/npm
6

7
# prod-deps: resolve production dependencies only.
8
FROM base AS prod-deps
9
COPY package.json pnpm-lock.yaml ./
10
RUN ["corepack", "enable"]
11
RUN ["pnpm", "install", "--prod", "--frozen-lockfile"]
12

13
# build: install the full dependency set and build.
14
FROM base AS build
15
COPY package.json pnpm-lock.yaml ./
16
RUN ["corepack", "enable"]
17
RUN ["pnpm", "install", "--frozen-lockfile"]
18
COPY . .
19
RUN ["pnpm", "run", "build"]
20

21
# final: prod node_modules + built dist on a clean node base, nonroot.
22
FROM ghcr.io/quenchworks/images/node:20 AS final
23
WORKDIR /app
24
ENV NODE_ENV=production
25
COPY --from=prod-deps /app/node_modules ./node_modules
26
COPY --from=build /app/dist ./dist
27
COPY --from=build /app/package.json ./package.json
28
USER 1001
29
EXPOSE 3000
30
CMD ["node", "dist/server.js"]

This Dockerfile is pinned to the 20 line. For the line-by-line walkthrough and ecosystem variants (npm/Yarn, pip/uv/Poetry, Maven/Gradle), see the Build a Node app guide.

Upstream project: https://github.com/nodejs/node