nodejs/npm update for nodejs-20-minimal

[slowtick]

Container platform

OCP 4

Version

ubi9/nodejs-20-minimal:1-37.1712566503

OS version of the container image

RHEL 9

Bugzilla, Jira

No response

Description

npm packaged in this image depends on vulnerable ip package - CVE-2023-42282 and apps built with this base image gets flagged out in scanners with critical vulnerability. Though the vulnerable code is never called by npm, we could not convince audit.

npm v10.5.0 / nodejs v20.12.0 includes fixes for this vulnerability.

Are there plans to upgrade node package to 20.12.x? Or would you recommend us install node 20.12.x on ubi9/minimal base image?

Reproducer

1. Build a nodejs app with ubi9/nodejs-20-minimal:1-37.1712566503
2. Scan the built image with twistlock/prisma
3. Reports critical vulnerability in the built image

[zmiklank]

Hello @slowtick.
IIUC, it is as you said - the ubi9/nodejs-20-minimal:1-37.1712566503 container image is not vulnerable to CVE-2023-42282, because it does not use the vulnerable part of the code.
However, there is a plan to rebase node to 20.12.x, however it may take a while until the change is propagated to the container image.
Please note that I am not a npm maintainer, so my information can be imprecise.
Maybe @khardix could know more.

[khardix]

Rebase to 20.12.x is in the works. I would advise waiting for that (shouldn't be long; can't be more specific).

[slowtick]

Glad to hear 20.12.x would be coming, official package would be best for us. Will wait for it / watch for updates here.

[wanghwh]

@khardix , will we update ubi8/nodejs-20? it's reported with 8 vulnerabilities.

[khardix]

Update to all containers should be on their way.