@hasna/uptime 0.1.14 → 0.1.16

package/CHANGELOG.md

@@ -6,6 +6,24 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.1.16] - 2026-06-28
+
+### Changed
+
+- Changed the packaged production Dockerfile to install Bun in an ECR Public
+  Node Alpine build stage, then copy only Bun, app files, and production
+  dependencies into an ECR Public Alpine runtime with CA certificates. This
+  reduces inherited OS vulnerability findings before live AWS scale-up.
+
+## [0.1.15] - 2026-06-28
+
+### Changed
+
+- Changed the packaged production Dockerfile to use Docker Official
+  `node:22-slim` from Amazon ECR Public and install Bun inside the image. This
+  avoids Docker Hub unauthenticated pull-rate limits during AWS CodeBuild image
+  builds.
+
 ## [0.1.14] - 2026-06-28
 
 ### Added

package/Dockerfile.package

@@ -1,17 +1,26 @@
 # syntax=docker/dockerfile:1
 
-FROM oven/bun:1.3.13-slim AS runtime
+FROM public.ecr.aws/docker/library/node:22-alpine AS bun
+
+RUN npm install -g bun@1.3.13
+
+FROM public.ecr.aws/docker/library/alpine:3.22 AS runtime
 ENV NODE_ENV=production \
     HASNA_UPTIME_MODE=hosted
 WORKDIR /app
 
-RUN addgroup --system --gid 10001 uptime \
-  && adduser --system --uid 10001 --ingroup uptime uptime
+RUN apk add --no-cache ca-certificates \
+  && addgroup -g 10001 -S uptime \
+  && adduser -S -D -H -u 10001 -G uptime uptime
+
+COPY --from=bun /usr/local/bin/bun /usr/local/bin/bun
+COPY --from=bun /usr/local/lib/node_modules/bun /usr/local/lib/node_modules/bun
 
 COPY package.json ./package.json
 COPY dist ./dist
 
-RUN bun install --production
+RUN bun install --production \
+  && chown -R uptime:uptime /app
 
 USER uptime
 EXPOSE 3899

package/dist/cli/index.js

@@ -6932,7 +6932,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.16");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/cloud-plan.js

@@ -21,7 +21,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.16");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/dist/index.js

@@ -4338,7 +4338,7 @@ function buildAwsDeploymentPlan(options = {}) {
   const image = clean(options.image, `${imageRepositoryUri}@sha256:<image-digest>`);
   const evidenceBucket = clean(options.evidenceBucket, `hasna-${stage}-${prefix}-evidence`);
   const hostedSqliteDbPath = clean(options.hostedSqliteDbPath, DEFAULT_HOSTED_SQLITE_DB);
-  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.14");
+  const runtimePackageVersion = clean(options.runtimePackageVersion, "0.1.16");
   const protectedAccessMode = options.protectedAccessMode ?? DEFAULT_PROTECTED_ACCESS_MODE;
   const protectedAccessUrl = protectedAccessMode === "cloudfront_default_domain" ? "https://<cloudfront-domain>" : `https://${hostname}`;
   const cluster = `${prefix}-${stage}`;

package/infra/aws/terraform.tfvars.example

@@ -16,7 +16,7 @@ alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 private_route_table_ids  = ["rtb-replace-private"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.14"
+runtime_package_version  = "0.1.16"
 certificate_arn          = null
 hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"

package/infra/aws/variables.tf

@@ -116,7 +116,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.14"
+  default     = "0.1.16"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.14",
+  "version": "0.1.16",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",