DEFRA · johnwatson484 · Mar 30, 2026 · Mar 27, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
@@ -103,7 +103,7 @@ jobs:
       - name: Run Aqua Trivy scan
         id: trivy-scan
         if: ${{ matrix.target == 'production' }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           input: image-${{ matrix.image.nodeVersion }}.tar
           scan-type: image

diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Run Aqua Trivy scan
         id: trivy-scan
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}}
           format: sarif

diff --git a/.grype.yaml b/.grype.yaml
@@ -35,3 +35,9 @@ ignore:
     reason: "Node 24: tar patched but not yet available in Node.js base images"
   - vulnerability: CVE-2026-2673
     reason: "Alpine libcrypto: No fix available"
+  - vulnerability: GHSA-c2c7-rcm5-vvqj
+    reason: "Node 22: picomatch patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-f886-m6hf-6m8v
+    reason: "Node 20: brace-expansion patched but not yet available in Node.js base images"
+  - vulnerability: GHSA-3v7f-55p6-f55p
+    reason: "Node 22: picomatch patched but not yet available in Node.js base images"
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Set default values for build arguments
-ARG DEFRA_VERSION=3.0.4
-ARG BASE_VERSION=24.14.0-alpine3.23
+ARG DEFRA_VERSION=3.0.5
+ARG BASE_VERSION=24.14.1-alpine3.23
 
 FROM node:$BASE_VERSION AS production
 

diff --git a/JOB.env b/JOB.env
@@ -1,2 +1,2 @@
-DEFRA_VERSION=3.0.4
+DEFRA_VERSION=3.0.5
 IMAGE_NAME=node
diff --git a/README.md b/README.md
@@ -14,9 +14,9 @@ The following table lists the versions of node available, and the parent Node.js
 
 | Node version  | Parent image       |
 | ------------- | -----------------  |
-| 20.20.1       | 20.20.1-alpine3.23 |
-| 22.22.1       | 22.22.1-alpine3.23 |
-| 24.14.0       | 24.14.0-alpine3.23 |
+| 20.20.2       | 20.20.2-alpine3.23 |
+| 22.22.2       | 22.22.2-alpine3.23 |
+| 24.14.1       | 24.14.1-alpine3.23 |
 
 Two parent images are created for each version:
 

diff --git a/image-matrix.json b/image-matrix.json
@@ -1,5 +1,5 @@
  [
-    {"nodeVersion": "20.20.1", "alpineVersion": "3.23", "tags": ["latest-20"]},
-    {"nodeVersion": "22.22.1", "alpineVersion": "3.23", "tags": ["latest-22"]},
-    {"nodeVersion": "24.14.0", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
+    {"nodeVersion": "20.20.2", "alpineVersion": "3.23", "tags": ["latest-20"]},
+    {"nodeVersion": "22.22.2", "alpineVersion": "3.23", "tags": ["latest-22"]},
+    {"nodeVersion": "24.14.1", "alpineVersion": "3.23", "tags": ["latest-24", "latest"]}
 ]