feat: update nodejs

[elaine-mattos]

Overview

This PR introduces several significant updates and improvements to the project, including:

Node.js version upgrades (Dockerfiles, CI, engines)
Dependency updates (major and minor, including security and compatibility)

Changes

Node.js Version Upgrades

• DevDockerfile and Dockerfile: Upgraded from node:18-bullseye to node:24-bullseye
• test.yml: Node.js version set to 24

Dependency Updates

• Major dependency upgrades in Azure SDKs, Babel, ESLint, Express, Chai, Winston, and more;
• Security and compatibility improvements;
• Removal of deprecated/unsupported versions.
• ScanCode: updated from 32.1.0 to 32.3.3
• Reuse: updated from 3.0.1 to 5.0.2
• cdConfig.js: Introduced baseFileLocation for consistent file path handling; cd_file now has separate location and attachmentLocation properties
• file.js: Attachments are now stored in a dedicated attachment directory if attachmentLocation is set; File naming for attachments improved (attachment:KEY → attachmentLocation/KEY.json)
• Removed deprecated winston-azure-application-insights integration.
• Upgraded winston and refined local logging.

Miscellaneous

• Added env.json to .gitignore to prevent local config leakage.

[mxmehl]

Whenever you update the PR, consider bumping this version as well. REUSE 6.x has quite interesting performance gains and also fixes potential license/copyright detection issues.

[JamieMagee]

I compared this PR against current master to figure out what's still worth merging. Short version: about half of it landed through other work, but there are real gaps remaining.

What's already done separately: Node 24 is in CI and both Dockerfiles. The winston 3 migration in logger.js is complete, including dropping winston-azure-application-insights.

What's still broken on master that this PR fixes:

• REUSE is pinned at 3.0.1 in the Dockerfile. This PR bumps it to 5.0.2 — that hasn't happened anywhere else. (ScanCode did get bumped past this PR's target, to 32.5.0, so that part is moot.)
• Both Dockerfiles still use the legacy ENV PORT 5000 syntax instead of ENV PORT=5000. Docker has been warning about this for a while.
• The DevDockerfile has a real bug: ENV BUILD_NUMBER=$APP_VERSION on line 8 references APP_VERSION, which isn't defined until line 9. The PR fixes the ordering.
• scancode.js, licensee.js, and fsfeReuse.js still call logger.log() for failures instead of logger.error() — that means errors don't get surfaced properly in Application Insights.
• No HTTPS proxy support in fetch.js. The HttpsProxyAgent addition is useful for anyone running behind a corporate proxy.
• Test fixtures still live under 32.1.0/ even though ScanCode is at 32.5.0 now.

Smaller stuff: .gitignore is missing a .env entry, package.json doesn't declare engines.node, and the configurable npm registry URL is an interesting idea but the PR has debug console.log statements that would need cleanup.

Honestly, given how much master has diverged, rebasing this into one coherent PR would be painful. It'd probably be easier to cherry-pick the remaining fixes into a few focused PRs: one for the Dockerfile fixes (REUSE bump, ENV syntax, DevDockerfile bug), one for the logging improvements, and maybe one for proxy support.

[elaine-mattos]

Hi @JamieMagee ,

Sorry, I was really busy with other things at work! I finally got some time to look deeper into clearly defined again and I'll look into it tomorrow!