# nodejs (Dockerfile) Security Rules

2 detection rules for nodejs framework in Dockerfile

- Total rules: 2
- CWE coverage: 1

## MEDIUM (1)

- **Node.js Version Mismatch Between Configuration Files**: Detects inconsistent Node.js versions across project configuration files.

When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:

- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
  production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues locally)

This rule detects mismatches between:
- .nvmrc and Dockerfile
- .nvmrc and package.json engines
- .tool-versions and Dockerfile

NOTE: Detection is handled by internal/frameworks/nodejs/detector.go.
The actual recommended version comes from the docker-image-outdated finding
which uses the Docker image API for real-time version data.

## LOW (1)

- **Use npm ci for Reproducible Builds**: Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.