# Nodejs (Dockerfile) Security

Security vulnerabilities and detection rules for nodejs framework. 2 rules across 1 CWE categories.

- Total rules: 2
- CWE categories: 1

## CWEs

- **CWE-1104**: Use of Unmaintained Third Party Components

## Rules

- **Use npm ci for Reproducible Builds** [LOW]: Detects Dockerfiles using `npm install` instead of `npm ci` for production builds.
- **Node.js Version Mismatch Between Configuration Files** [MEDIUM]: Detects inconsistent Node.js versions across project configuration files.

When .nvmrc specifies one Node.js version but Dockerfile uses a different
version, it causes environment drift:

- "Works on my machine" bugs (code works locally but fails in production)
- Security inconsistencies (development may use patched version while
  production uses vulnerable version)
- Dependency incompatibilities (npm packages may behave differently)
- Debugging difficulties (hard to reproduce production issues locally)

This rule detects mismatches between:
- .nvmrc and Dockerfile
- .nvmrc and package.json engines
- .tool-versions and Dockerfile

NOTE: Detection is handled by internal/frameworks/nodejs/detector.go.
The actual recommended version comes from the docker-image-outdated finding
which uses the Docker image API for real-time version data.