Node-red image has security vulnerabilities

[OlgasAcc]

Hello,
We pull the Node-red image in our project, the Aqua security scan has reported a few vulnerabilities which could be release blocker for us:

[CVE-2024-32465] [git] [2.43.0-r0]
https://nvd.nist.gov/vuln/detail/CVE-2024-32465
Fix Version : 2.43.4-r0

[CVE-2024-32004] [git] [2.43.0-r0]
https://nvd.nist.gov/vuln/detail/CVE-2024-32004
Fix Version : 2.43.4-r0

[CVE-2024-32002] [git] [2.43.0-r0]
https://nvd.nist.gov/vuln/detail/CVE-2024-32002
Fix Version : 2.43.4-r0

The Node-red version we use - v3.1.9-18-minimal

Could you please upgrade this dependency version?

Thanks

[hardillb]

They come from the alpine base container, not something we have any influence over.

[hardillb]

I've kicked off a respin of the 3.1.9 containers, they will pick up the latest NodeJS Alpine base contianers.

[OlgasAcc]

@hardillb thanks for the response.
We're using v3.1.9-18-minimal where "18" probably means Node version 18, right?
But what exact version of Node do you use as a base for Node-red? I mean maybe it's possible to use this one - https://github.com/nodejs/docker-node/tree/main/18/alpine3.19 (Node 18 + alpine v3.19)?
This latest stable Alpine version solved all security tickets in our images.

[hardillb]

The builds have been respun

[OlgasAcc]

The builds have been respun

could this affect the node-red-dashboard dependency?

[hardillb]

Unlikely, that looks like a problem with permissions on a volume mounted on /data

[OlgasAcc]

@hardillb probably some temp issue, works well now. Thanks a lot!