Vulnerability patch in hub

[github-actions]

A rebuild of jupyterhub/k8s-hub has been found to influence the detected vulnerabilities! This PR will trigger a rebuild because it has updated a comment in the Dockerfile.

About

This scan for known vulnerabilities has been made by aquasecurity/trivy. Trivy was configured to filter the vulnerabilities with the following settings:

• ignore-unfixed: true

Before

Before trying to rebuild the image, the following vulnerabilities was detected in jupyterhub/k8s-hub:1.0.1.

Target	Vuln. ID	Package Name	Installed v.	Fixed v.
ubuntu	CVE-2021-3580	libhogweed5	3.5.1+really3.5.1-2ubuntu0.1	3.5.1+really3.5.1-2ubuntu0.2
ubuntu	CVE-2021-3580	libnettle7	3.5.1+really3.5.1-2ubuntu0.1	3.5.1+really3.5.1-2ubuntu0.2

After

Target	Vuln. ID	Package Name	Installed v.	Fixed v.
ubuntu	CVE-2021-3520	liblz4-1	1.9.2-2	1.9.2-2ubuntu0.20.04.1
ubuntu	CVE-2021-3580	libhogweed5	3.5.1+really3.5.1-2ubuntu0.1	3.5.1+really3.5.1-2ubuntu0.2
ubuntu	CVE-2021-3580	libnettle7	3.5.1+really3.5.1-2ubuntu0.1	3.5.1+really3.5.1-2ubuntu0.2

[consideRatio]

I'm so confused about this. Why does it find there to be a difference?

[yuvipanda]

I see a force push - maybe whatever had to be upgraded was upgraded in a separate PR somehow?

[consideRatio]

I'm generally clueless. The force push happens when it re-checks even though it is the same changes etc as it was before I think. I'm quite confused about the PR creation action. Besides the PR creation action, I think it is veeeery weird that the first scan on the existing image finds one less vulnerability than on the freshly built image - i have no explanation for that and I have seen it also directly after 1.0.1 was published and there were a fresh latest version etc.

[consideRatio]

Closing this PR as merging #2304 made the vulnerabilities be patched.