Modernizing an older Node.js project

Github introduced Security Alerts by the end of 2017 and it’s CI/CD workflows in 2019.

Today I took some time to review alerts that landed in my inbox. Out of interest and to refresh my Node.js skils. Meanwhile I also the took the jump to set up a Github Workflow for a personal project: Walnoot.

Screenshot of Walnoot in action


Walnoot gives an overview of cryptocurrency portfolio. To do that it consumes the Coinigy API and offers support for a very simple offline wallet too.


With me diving deeper into the Docker ecosystem recently, setting up a Dockerfile was super easy. Using a containerized development environment means I don’t have to worry about specific OS versions, local Node.js versions, and other dependencies.

Future Me can thank me later.

Github Node.js Workflow

I knew I wanted to start simple and chose the Node.js workflow. Github added files to the repo in a .github folder, at the push of a button and I was off to the races.

# nodejs.yml
name: Node CI

on: [push]


    runs-on: ubuntu-latest

        node-version: [12.x]

    - uses: actions/[email protected]
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/[email protected]
        node-version: ${{ matrix.node-version }}
    - name: npm install, build, and test
      run: |
        npm ci
        npm run build --if-present
        npm test        
        CI: true

Github Actions


A big difference between my local Docker environment and the one Github provides is the Linux distro. When possible I stick to Alpine. It’s super light weight and just makes me feel good. It’s also convenient that I now have quick access to three environments: MacOS, Ubuntu and Alpine. Yay for portability.


Next I noticed security issues. npm audit marked several issues which I was able to fix with a simple npm audit fix. One of the better experiences was the ability to use npx babel-upgrade.

# npx lets you run babel-upgrade and installs locally
npx babel-upgrade --write --install

The end result is an automated Github workflow and zero security alerts ( at the time of writing ).

Github Security Alerts