fix(backend): pin Node to 22.22 to avoid node-fetch premature-close regression

[kaviththiranga]

With authz enabled the portal showed "Failed to load platform details" and broken catalog views: the catalog's internal call to the permission backend (node-fetch@2 via cross-fetch -> /api/permission/authorize) failed with ERR_STREAM_PREMATURE_CLOSE, surfacing as a 500 on /api/catalog/entities/by-refs.

Root cause is the Node 22.23.0 / 24.17.0 security fix for CVE-2026-48931 ("response queue poisoning in http.Agent"), which changed keep-alive socket-reuse behaviour and exposes a latent node-fetch@2 bug (its malformed-chunked-response detector throws false-positive premature-close on reused pooled sockets). The base image node:22-bookworm-slim floated to 22.23.0, which is why this appeared in newly built images. Pin to 22.22 (last release before the regression) until the Node 22.x patch with nodejs/node#64004 ships.

• NodeJS 24.17 CVE-2026-48931 fix affecting node-fetch - Premature close error backstage/backstage#34651
• http: node-fetch throws ERR_STREAM_PREMATURE_CLOSE on keep-alive socket closures after latest security releases nodejs/node#63989
• http: avoid stream listeners on idle agent sockets nodejs/node#64004

Also drop the duplicated helmet/cors/compression from the root router configure block — applyDefaults() already applies them, so they ran twice; keep only the IDP token middleware before applyDefaults().

Summary by CodeRabbit

• Chores
  • Updated Node.js base image version in deployment configuration to improve stability and security.
  • Streamlined HTTP request middleware initialization process.

[coderabbitai]

Warning

Review limit reached

@kaviththiranga, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 44 minutes and 15 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a2801e8c-1d77-4cae-8700-5298f12dfbcf

📥 Commits

Reviewing files that changed from the base of the PR and between 63fa34d and a975ec5.

📒 Files selected for processing (1)

• .changeset/pin-node-22-22.md

📝 Walkthrough

Walkthrough

The backend Dockerfile pins the Node runtime base image from node:22-bookworm-slim to node:22.22-bookworm-slim across all stages with explanatory comments. The root HTTP router configure callback in index.ts removes manual helmet/cors/compression middleware application, delegating to applyDefaults() instead.

Changes

Backend infrastructure and middleware

Layer / File(s)	Summary
Node base image pin to 22.22 packages/backend/Dockerfile	Stage 1 gains a comment noting the 22.22 pin; Stage 3 changes the runtime base image from node:22-bookworm-slim to node:22.22-bookworm-slim with detailed comments explaining the CVE-related reason for the temporary pin. Stage 2's FROM line is re-emitted without change.
HTTP router middleware delegated to applyDefaults() packages/backend/src/index.ts	The configure callback drops the middleware parameter and removes manual helmet/cors/compression calls, delegating that stack to applyDefaults(). IDP token header middleware remains registered before applyDefaults() to wrap all route handlers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A version pinned, 22.22,
No floating tags to cause a scare!
Defaults now handle cors and helm,
The IDP still steers at the realm.
Cleaner code, a tidier den —
Hop along, all is well again! 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides clear context on the problem, root cause analysis, and solution but does not follow the repository's required template structure with sections like Purpose, Goals, Approach, Release notes, and other required fields.	Restructure the description to match the required template, organizing information into Purpose, Goals, Approach, Release note, Documentation, and other applicable sections.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: pinning Node to version 22.22 to resolve a node-fetch regression, which is the main focus of the code changes in the Dockerfile.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Changeset detected — the following file(s) will be released with this PR:

.changeset/pin-node-22-22.md

[kaviththiranga]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!