chore(deps): bump node version from 22.16.0 to 22.21.1

[jonasflorencio]

Proposed changes (including videos or screenshots)

CVE-2025-27210
CVE-2025-9230

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Chores
  • Added a changeset recording patch bumps for multiple Rocket.Chat packages.
  • Standardized Node.js to 22.21.1 across CI workflows, Docker base images, and project config.
  • Updated container build images and CI setup steps to use the new Node version.
  • No functional changes or public API modifications; adjustments affect runtime and versioning only.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 8531fc5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
rocketchat-services	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/account-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Node.js version is bumped to 22.21.1 across workflows, Dockerfiles, and package config. A changeset records patch bumps for multiple Rocket.Chat packages; no functional code changes were made.

Changes

Cohort / File(s)	Summary
Changeset .changeset/perfect-trees-rescue.md	Documents multiple package patch bumps (Rocket.Chat packages) and updates Node runtime specification to 22.21.1.
GitHub Actions Workflows .github/workflows/ci-deploy-gh-pages.yml, .github/workflows/new-release.yml, .github/workflows/pr-update-description.yml, .github/workflows/publish-release.yml, .github/workflows/release-candidate.yml, .github/workflows/update-version-durability.yml	Updated Setup NodeJS steps from 22.16.0 → 22.21.1.
Meteor Dockerfiles apps/meteor/.docker-mongo/Dockerfile, apps/meteor/.docker/Dockerfile.alpine, apps/meteor/.docker/Dockerfile.debian	Bumped base images from node:22.14.0 / node:22.16.0 → node:22.21.1 variants.
Enterprise App Dockerfiles ee/apps/*/Dockerfile, ee/apps/account-service/Dockerfile, apps/meteor/ee/server/services/Dockerfile	Updated builder and runtime base images from node:22.16.0-alpine3.21 → node:22.21.1-alpine3.21 (and related alpine/debian variant updates).
Package Configuration package.json	Updated engines.node and volta.node from 22.16.0 → 22.21.1.
Test Config packages/message-parser/jest.config.ts	Replaced __dirname usage with import.meta.dirname for PEG.js transform path (ESM alignment).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Homogeneous, repetitive version-string updates across files.
• Spot-check items:
  • Consistency of 22.21.1 across workflows, Dockerfiles, and package.json.
  • Intentional OS variant bumps (alpine3.20 → alpine3.21, bullseye-slim updates).
  • Changeset contents and message accuracy.
  • import.meta.dirname change in jest.config.ts for ESM correctness.

Possibly related PRs

• chore(deps): Upgrade some dependencies #36905 — Related chore dependency/version bumps across Rocket.Chat packages with overlapping version-update patterns.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• ggazzo
• rodrigok
• KevLehman

Poem

🐰 I hopped through files and nudged each node,

From Docker roots to Actions on the road.
A changeset snug, versions tidy and bright,
I twitch my whiskers — builds sleep well tonight. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping Node.js version from 22.16.0 to 22.21.1 across all configuration files and dependencies.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-node-version

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f6f565f and 8531fc5.

📒 Files selected for processing (1)

• packages/message-parser/jest.config.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (1)

packages/message-parser/jest.config.ts (1)

9-9: import.meta.dirname is fully supported in Node.js 22.21.1 and correct for ESM.

The feature was added in Node.js v20.11.0/v21.2.0 and marked non-experimental in v22.16.0, so the change is safe and appropriate for the Node.js version upgrade. The file is already using ES module syntax, making this a straightforward and correct modernization.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CVE-2025: Request failed with status code 404

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between cbd8995 and f6fc6c2.

📒 Files selected for processing (18)

• .changeset/perfect-trees-rescue.md (1 hunks)
• .github/workflows/ci-deploy-gh-pages.yml (1 hunks)
• .github/workflows/new-release.yml (1 hunks)
• .github/workflows/pr-update-description.yml (1 hunks)
• .github/workflows/publish-release.yml (1 hunks)
• .github/workflows/release-candidate.yml (1 hunks)
• .github/workflows/update-version-durability.yml (1 hunks)
• apps/meteor/.docker-mongo/Dockerfile (1 hunks)
• apps/meteor/.docker/Dockerfile.alpine (1 hunks)
• apps/meteor/.docker/Dockerfile.debian (1 hunks)
• ee/apps/account-service/Dockerfile (2 hunks)
• ee/apps/authorization-service/Dockerfile (2 hunks)
• ee/apps/ddp-streamer/Dockerfile (2 hunks)
• ee/apps/omnichannel-transcript/Dockerfile (2 hunks)
• ee/apps/presence-service/Dockerfile (2 hunks)
• ee/apps/queue-worker/Dockerfile (2 hunks)
• ee/apps/stream-hub-service/Dockerfile (2 hunks)
• package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CodeQL-Build

🔇 Additional comments (19)

.github/workflows/publish-release.yml (1)

24-31: Node.js version update applied consistently.

The Setup NodeJS step correctly updates to 22.21.1, aligning with PR objectives for security fixes. No issues in this file.

.github/workflows/pr-update-description.yml (1)

21-28: Node.js version update applied consistently.

The Setup NodeJS step correctly updates to 22.21.1. No issues in this file.

.github/workflows/release-candidate.yml (1)

15-22: Node.js version update applied consistently.

The Setup NodeJS step correctly updates to 22.21.1. No issues in this file.

.github/workflows/update-version-durability.yml (1)

23-26: Node.js version update applied consistently.

The "Use Node.js" step correctly updates to 22.21.1 using the standard GitHub action. No issues in this file.

.github/workflows/ci-deploy-gh-pages.yml (1)

17-23: Node.js version update applied consistently.

The Setup NodeJS step correctly updates to 22.21.1. No issues in this file.

ee/apps/queue-worker/Dockerfile (2)

1-1: Node.js base image versions updated consistently to 22.21.1-alpine3.21.

Both builder and final stages use the correct updated version. The multi-stage build pattern is appropriate. No issues with these changes.

Also applies to: 105-105

---

113-116: Verify CVE reference accuracy in the comment.

Line 115 references "CVE-2025-9230" for OpenSSL vulnerability, but this CVE identifier does not appear in public advisories. Node.js 22.x bundles OpenSSL 3.5.2, which allows Node.js 22.x to be supported through to the planned End-of-Life date of 2027-04-30 as the previously bundled OpenSSL 3.0.x goes out of support in September 2026. Please verify the correct CVE identifier or provide the CVE details that apply to this OpenSSL upgrade.

.github/workflows/new-release.yml (1)

34-41: Node.js version update applied consistently.

The Setup NodeJS step correctly updates to 22.21.1. No issues in this file.

ee/apps/ddp-streamer/Dockerfile (1)

1-1: Straightforward version bump with security fix.

The Node.js runtime has been updated consistently across both builder and final stages, with proactive OpenSSL vulnerability remediation included. No concerns identified.

Also applies to: 95-95

apps/meteor/.docker/Dockerfile.debian (1)

5-5: Note: Larger version jump for Debian variant.

The Debian-based image is being updated from 22.14.0 to 22.21.1 (versus 22.16.0 → 22.21.1 in Alpine variants). This indicates the Debian Dockerfile was on an older Node version. Verify this delta was intentional and that the Debian variant is tested alongside Alpine variants.

ee/apps/account-service/Dockerfile (1)

1-1: LGTM.

Consistent version bump with security fixes applied. Aligns with patterns across other service Dockerfiles.

Also applies to: 92-92

ee/apps/omnichannel-transcript/Dockerfile (1)

1-1: LGTM.

Consistent version bump applied symmetrically across builder and runtime stages.

Also applies to: 105-105

package.json (1)

48-48: Engine and runtime pin updated correctly.

Both engines.node and volta.node have been synchronized to 22.21.1, ensuring consistent Node version enforcement across npm installs and developer tooling.

Also applies to: 59-59

apps/meteor/.docker-mongo/Dockerfile (1)

1-1: Debian variant version bump consistent.

Aligns with the broader Debian-to-22.21.1 update observed across docker files. Same 22.14.0 → 22.21.1 delta as in Dockerfile.debian.

ee/apps/authorization-service/Dockerfile (1)

1-1: LGTM.

Version bump applied consistently across builder and runtime stages with security hardening.

Also applies to: 89-89

ee/apps/presence-service/Dockerfile (1)

1-1: LGTM.

Consistent version bump with security fixes applied uniformly.

Also applies to: 93-93

ee/apps/stream-hub-service/Dockerfile (2)

1-1: LGTM: Builder stage Node.js version updated correctly.

The builder stage base image has been updated to node:22.21.1-alpine3.21, which aligns with the security advisory requirements. The Alpine version (3.21) is consistent with the runtime stage, and the change is syntactically correct.

---

90-90: LGTM: Runtime stage Node.js version updated and OpenSSL security patch applied.

The runtime stage FROM instruction has been correctly updated to node:22.21.1-alpine3.21. The subsequent OpenSSL upgrade on lines 99-101 addresses CVE-2025-9230, which is properly documented. This two-stage approach (version bump + explicit OpenSSL patching) provides defense-in-depth for security.

apps/meteor/.docker/Dockerfile.alpine (1)

1-1: LGTM: Node.js version updated; verify Alpine version alignment across repository.

The Node.js version has been correctly updated to 22.21.1. However, note that this file uses alpine3.20, while the stream-hub-service Dockerfile (ee/apps/stream-hub-service/Dockerfile) uses alpine3.21. Both are valid and likely serve intentional purposes, but you may want to verify consistency with any other Dockerfiles or deployment requirements, especially since node:22-alpine3.21 and node:22-alpine3.22 are the currently recommended Alpine tags for Node.js 22. The OpenSSL security patch on lines 21-23 is properly documented for CVE-2025-9230.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/ee/server/services/Dockerfile (1)

5-6: Critical: apt-get is incompatible with Alpine Linux.

Line 5-6 uses apt-get package manager, but the base image node:22.21.1-alpine3.21 is Alpine Linux, which uses apk instead. This will cause the Docker build to fail. Replace with Alpine-compatible commands.

  RUN apt-get update \
-     && apt-get install -y build-essential git
+     && apk add --no-cache build-base git

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f6fc6c2 and d287821.

📒 Files selected for processing (1)

• apps/meteor/ee/server/services/Dockerfile (2 hunks)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Node.js image availability and security fixes.

The version bump from 22.16.0 to 22.21.1 is applied consistently across both build and runtime stages. However, confirm that the node:22.21.1-alpine3.21 tag exists and contains the security patches for the referenced CVEs (CVE-2025-27210 and CVE-2025-9230).

Also applies to: 31-31

---

🌐 Web query:

Does node:22.21.1-alpine3.21 Docker image tag exist and what security updates does it include?

💡 Result:

Short answer: No — I can find a published node:22.21.1-alpine3.22 tag, but not node:22.21.1-alpine3.21. [1][2]

What security fixes are included (for the closest images):

• Node.js 22.21.1 (the 22.21.1 images) contains the January 21, 2025 Node.js security fixes (worker/diagnostics and dependency fixes including undici updates). See the Node.js security release notes. [3]
• Alpine 3.21 (the Alpine 3.21 series) includes maintenance/security updates (Alpine 3.21 release notes mention multiple fixes; Alpine also released 3.21.1 with additional fixes). Notably many projects upgraded to 3.21 to address OpenSSL/CVE issues (e.g. CVE-2024-9143 was a motivation to move to 3.21). [4][5]

References

1. Snyk / image listing for node:22.21.1-alpine3.22 (shows 22.21.1-alpine3.22 exists).
2. Docker mirror listings showing node:22-alpine3.21 (but no node:22.21.1-alpine3.21 tag found).
3. Node.js security release (Jan 21, 2025) — details of fixes and dependency updates (undici, CVEs).
4. Alpine 3.21 release notes.
5. Alpine 3.21.1 release notes / discussions about moving images to Alpine 3.21 to address OpenSSL CVEs.

If you want, I can (a) confirm again directly against Docker Hub and paste the exact tag list and digests, or (b) show the specific CVE IDs fixed in the Node 22.21.1 and Alpine 3.21 releases. Which would you prefer?

---

The specified Docker image tag does not exist and will cause build failures.

The node:22.21.1-alpine3.21 tag is not published; only node:22.21.1-alpine3.22 exists. Update both the build stage (line 1) and runtime stage (line 31) to use node:22.21.1-alpine3.22, which is the published image for this Node.js version.

Node.js 22.21.1 includes January 21, 2025 security fixes including worker/diagnostics and dependency updates (undici). However, the Alpine version needs correction for the image to be available.

Also applies to: 31-31

🤖 Prompt for AI Agents

In apps/meteor/ee/server/services/Dockerfile around lines 1 and 31, the base
image tag used (node:22.21.1-alpine3.21) does not exist and will fail builds;
update both the build stage (line 1) and the runtime stage (line 31) to use the
published tag node:22.21.1-alpine3.22 instead, ensuring both FROM lines
reference the same corrected image version.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/perfect-trees-rescue.md (1)

13-13: Consider enhancing the changelog message with security context.

The changeset message is accurate but minimal. Since the PR objectives explicitly reference two security advisories (CVE-2025-27210 and CVE-2025-9230 for OpenSSL), consider making this context visible in the changelog to help users understand the urgency of this update.

- Bump Node version to 22.21.1
+ Bump Node version to 22.21.1 (fixes CVE-2025-27210, CVE-2025-9230 - OpenSSL)

This gives users and maintainers immediate visibility into why this version bump matters.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d287821 and 33847e3.

📒 Files selected for processing (1)

• .changeset/perfect-trees-rescue.md (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (1)

.changeset/perfect-trees-rescue.md (1)

13-13: ✅ Version number is now correct.

The changeset message has been properly corrected from the previous review: it now accurately states "Bump Node version to 22.21.1" (not 20.21.1), matching the actual version bumped across all workflows, Dockerfiles, and configuration files in this PR.