# Node.js Version Mismatch Between Configuration Files

- ID: nodejs-version-mismatch
- Severity: MEDIUM
- CWE: CWE-1104 (CWE-1104)
- Languages: JavaScript, Dockerfile
- Frameworks: nodejs

## Description

Detects inconsistent Node.js versions across project configuration files.

When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:

- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
  production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues locally)

This rule detects mismatches between:
- .nvmrc and Dockerfile
- .nvmrc and package.json engines
- .tool-versions and Dockerfile

NOTE: Detection is handled by internal/frameworks/nodejs/detector.go.
The actual recommended version comes from the docker-image-outdated finding
which uses the Docker image API for real-time version data.

## Detection Message

Node.js versions are inconsistent across configuration files. Check the docker-image-outdated finding for the latest recommended version. Never downgrade to match an older version.

## Remediation

Align ALL configuration files to use the SAME Node.js version.

IMPORTANT: Check the docker-image-outdated finding for the LATEST version.
The API provides real-time version recommendations.

After determining the latest version from docker-image-outdated, update:
  - Dockerfile: FROM node:<version>-alpine
  - .nvmrc: <version>
  - package.json engines.node: ">=<version>.0.0"

NEVER downgrade. Always use the NEWER version shown in docker-image-outdated.

## Documentation

[object Object]

## Related Rules

- **Docker Base Image Security** [MEDIUM]: 
- **Use npm ci for Reproducible Builds** [LOW]: 
- **Dockerfile Uses Outdated Node.js Version** [MEDIUM]: 
- **.nvmrc Specifies Outdated Node.js Version** [MEDIUM]: