Fix ci-tools CVE-2026-31802 and base image vulnerabilities#88
Merged
Conversation
lex57ukr
added
security
npm 11.11.1 bundles tar >=7.5.11 and minimatch >=10.2.4, resolving all four suppressed npm CVEs. The base image digest is updated to pick up linux-libc-dev 6.1.164-1 (fixes 10 kernel CVEs). The .trivyignore entries are no longer needed. Also update the create-github-app-token action pin to match v2. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lex57ukr
force-pushed
the
86-cve-monitor-fix-ci-tools-vulnerabilities
branch
from
b307aaf to
561be14
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all fixable CRITICAL/HIGH vulnerabilities flagged by the CVE monitor in the ci-tools image. The npm bump fixes four transitive dependency CVEs (node-tar symlink traversal, minimatch ReDoS), and the base image refresh picks up patched Debian kernel headers that clear the remaining ten HIGH findings.
Related Issues
Fixes #86
Changes
node:25-bookworm-slimbase image digest (linux-libc-dev 6.1.162-1 → 6.1.164-1).trivyignore— all four suppressed CVEs are now resolved upstreamFurther Comments
Resolved CVEs:
make verifyandmake scanboth pass clean locally.