feat: Bump base images to Node 24.16.0 and slim n8n-base apk layer (no-changelog) (#32217)

.github/WORKFLOWS.md

@@ -365,8 +365,8 @@ Runs on push to `master` or `1.x`:
 ```
 Push to master/1.x
 ├─ build-github (populate cache)
-├─ unit-test (matrix: Node 22.x, 24.15.0, 26.x)
-│   └─ Coverage only on 24.15.0
+├─ unit-test (matrix: Node 22.x, 24.16.0, 26.x)
+│   └─ Coverage only on 24.16.0
 ├─ lint
 └─ notify-on-failure (Slack #alerts-build)
 ```
@@ -406,7 +406,7 @@ Composite actions in `.github/actions/`:
 
 ```yaml
 inputs:
-  node-version:        # default: '24.15.0'
+  node-version:        # default: '24.16.0'
   enable-docker-cache: # default: 'false' (Blacksmith Buildx)
   build-command:       # default: 'pnpm build'
 ```

.github/actions/setup-nodejs/action.yml

@@ -7,9 +7,9 @@ description: 'Configures Node.js with pnpm, installs Aikido SafeChain for supply
 
 inputs:
   node-version:
-    description: 'Node.js version to use. Pinned to 24.15.0 by default for reproducible builds.'
+    description: 'Node.js version to use. Pinned to 24.16.0 by default for reproducible builds.'
     required: false
-    default: '24.15.0'
+    default: '24.16.0'
   enable-docker-cache:
     description: 'Whether to set up Blacksmith Buildx for Docker layer caching (Blacksmith runners only).'
     required: false

.github/workflows/build-base-image.yml

@@ -29,7 +29,7 @@ jobs:
         # While we're on alpine 3.22 awaiting NODE-4184 (graphicsmagick → sharp
         # migration that unblocks 3.23), Node 26 base builds can't succeed.
         # Restore '26' to this matrix once 3.23 is back.
-        node_version: ['22', '24.15.0']
+        node_version: ['22', '24.16.0']
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 

.github/workflows/ci-master.yml

@@ -30,11 +30,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [22.22.3, 24.15.0]
+        node-version: [22.22.3, 24.16.0]
     with:
       ref: ${{ github.sha }}
       nodeVersion: ${{ matrix.node-version }}
-      collectCoverage: ${{ matrix.node-version == '24.15.0' }}
+      collectCoverage: ${{ matrix.node-version == '24.16.0' }}
     secrets: inherit
 
   lint:

.github/workflows/docker-build-push.yml

@@ -7,7 +7,7 @@ name: 'Docker: Build and Push'
 
 env:
   NODE_OPTIONS: '--max-old-space-size=7168'
-  NODE_VERSION: '24.15.0'
+  NODE_VERSION: '24.16.0'
 
 on:
   schedule:

.github/workflows/release-push-to-channel.yml

@@ -75,7 +75,7 @@ jobs:
     steps:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
 
       # Remove after https://github.com/npm/cli/issues/8547 gets resolved
       - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc

.github/workflows/test-linting-reusable.yml

@@ -12,7 +12,7 @@ on:
         description: Version of node to use.
         required: false
         type: string
-        default: 24.15.0
+        default: 24.16.0
 
 env:
   NODE_OPTIONS: --max-old-space-size=7168

.github/workflows/test-unit-reusable.yml

@@ -12,7 +12,7 @@ on:
         description: Version of node to use.
         required: false
         type: string
-        default: 24.15.0
+        default: 24.16.0
       collectCoverage:
         required: false
         default: false

.github/workflows/test-workflow-scripts-reusable.yml

@@ -12,7 +12,7 @@ on:
         description: Version of node to use.
         required: false
         type: string
-        default: 24.15.0
+        default: 24.16.0
 
 env:
   NODE_OPTIONS: --max-old-space-size=7168

docker/images/engine/Dockerfile

@@ -1,4 +1,4 @@
-ARG NODE_VERSION=24.15.0
+ARG NODE_VERSION=24.16.0
 
 FROM node:${NODE_VERSION}-alpine3.22
 

docker/images/n8n-base/Dockerfile

@@ -1,8 +1,9 @@
-ARG NODE_VERSION=24.15.0
+ARG NODE_VERSION=24.16.0
 
 # Pinned to multi-arch index digest (linux/amd64 + linux/arm64) for reproducible builds.
 # Bump the digest together with the tag when updating the base image.
-FROM dhi.io/node:24.15.0-alpine3.22-dev@sha256:a7eead704e9bd2d7a4c1b52cf595848f180365eba7c15a185ce1c3a690c1a19d
+# Digest pins to dhi.io/node:24.16.0-alpine3.22-dev (Node 24.16.0, Alpine 3.22, DHI dev variant).
+FROM dhi.io/node:24.16.0-alpine3.22-dev@sha256:67906dda1e458153488aecb9a7a5a926cb03cf1e8890eb8602a86a78162b2556
 
 ARG NODE_VERSION
 
@@ -14,13 +15,13 @@ RUN apk add --no-cache busybox-binsh && \
     fc-cache -f && \
     apk del .build-deps-fonts && \
     find /usr/share/fonts/truetype/msttcorefonts/ -type l -exec unlink {} \; && \
-    # Install OS dependencies
-    apk update && \
-    apk upgrade --no-cache && \
+    # Install OS dependencies. No blanket `apk upgrade` — it floats the whole
+    # world off the Alpine repos at build time and defeats the pinned base;
+    # patched bytes come from bumping the pinned DHI digest instead. git and
+    # openssl omitted: the base already provides git and the libssl3/libcrypto3
+    # libs Node uses (the openssl CLI binary isn't needed at runtime).
     apk add --no-cache \
-        git \
         openssh \
-        openssl \
         graphicsmagick=1.3.45-r0 `# pinned to avoid ghostscript-fonts (GPL-2.0); see SEC-398 + NODE-4184` \
         tini \
         tzdata \

docker/images/n8n/Dockerfile

@@ -1,10 +1,11 @@
-ARG NODE_VERSION=24.15.0
+ARG NODE_VERSION=24.16.0
 ARG N8N_VERSION=snapshot
 
 # Builder stage exists because the runtime base image has no toolchain.
 # Pinned to multi-arch index digest (linux/amd64 + linux/arm64) for reproducible builds.
 # Bump the digest together with the tag when updating the base image.
-FROM node:24.15.0-alpine3.22@sha256:b689d4005875ae167178471a7a622ec2909459a3bbb32277260be1971af7a99f AS builder
+# Digest pins to node:24.16.0-alpine3.22 (Node 24.16.0, Alpine 3.22).
+FROM node:24.16.0-alpine3.22@sha256:191c9f0080fcbbc6547a85dc0ff7988072214a355aabdc1d2ec55a7dae5eea8a AS builder
 COPY ./compiled /usr/local/lib/node_modules/n8n
 RUN apk add --no-cache python3 make g++ && \
     cd /usr/local/lib/node_modules/n8n && \
@@ -24,7 +25,8 @@ RUN apk add --no-cache python3 make g++ && \
 # base change, so a base rebuild does not reach this image until the digest is
 # manually re-pinned here. Bump the digest together with the tag whenever the base
 # image is intentionally updated.
-FROM n8nio/base:24.15.0@sha256:dade45d8a974e72bccbf57c13bc684b5dbb2f73e0ca7c837739e439de7b91aa9
+# Digest pins to n8nio/base:24.16.0 (Node 24.16.0, Alpine 3.22).
+FROM n8nio/base:24.16.0@sha256:a1aa4005e4faebd6da3ba51ec28180a3fb421243d921fa0efbba2d21395012f0
 
 ARG N8N_VERSION
 ARG N8N_RELEASE_TYPE=dev

docker/images/runners/Dockerfile

@@ -1,4 +1,4 @@
-ARG NODE_VERSION=24.15.0
+ARG NODE_VERSION=24.16.0
 ARG PYTHON_VERSION=3.13
 
 # ==============================================================================

docker/images/runners/Dockerfile.distroless

@@ -12,7 +12,7 @@
 # - Uses distroless nonroot user (UID 65532)
 # ==============================================================================
 
-ARG NODE_VERSION=24.15.0
+ARG NODE_VERSION=24.16.0
 ARG PYTHON_VERSION=3.13
 
 

packages/@n8n/benchmark/Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM node:24.15.0 AS base
+FROM node:24.16.0 AS base
 
 # Install required dependencies
 RUN apt-get update && apt-get install -y gnupg2 curl

scripts/dockerize-n8n.mjs

@@ -142,7 +142,7 @@ const rootDir = isInScriptsDir ? path.join(__dirname, '..') : __dirname;
 
 const noCache = process.env.DOCKER_BUILD_NO_CACHE === 'true';
 const withBaseImage = process.env.DOCKER_BUILD_BASE_IMAGE === 'true';
-const nodeVersion = process.env.NODE_VERSION || '24.15.0';
+const nodeVersion = process.env.NODE_VERSION || '24.16.0';
 
 const config = {
 	base: {