Describe the bug
Docker images built from apps/api, apps/bot, and apps/web Dockerfiles contain vulnerable npm-bundled dependencies detected by Trivy SAST scan. The vulnerabilities reside in npm's own internal dependencies at usr/local/lib/node_modules/npm/node_modules/, not in project dependencies managed by pnpm.
Reproduction Steps
- Build any of the three Docker images from the repo
- Run
trivy image <image-name>
- See HIGH/MEDIUM CVEs under
usr/local/lib/node_modules/npm/node_modules/
Expected behavior
No HIGH/MEDIUM CVEs in built Docker images.
Screenshots
See GitHub Security → Code scanning alerts.
Environment Details (please complete the following information):
- OS: Linux (CI / Docker)
- Browser: N/A
- App Component: API, Web, Bot — Docker images
- Version: node:24-alpine
Additional context
Describe the bug
Docker images built from
apps/api,apps/bot, andapps/webDockerfiles contain vulnerable npm-bundled dependencies detected by Trivy SAST scan. The vulnerabilities reside in npm's own internal dependencies atusr/local/lib/node_modules/npm/node_modules/, not in project dependencies managed by pnpm.Reproduction Steps
trivy image <image-name>usr/local/lib/node_modules/npm/node_modules/Expected behavior
No HIGH/MEDIUM CVEs in built Docker images.
Screenshots
See GitHub Security → Code scanning alerts.
Environment Details (please complete the following information):
Additional context