Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There is no change in functionality. It will include some security fixes.
Most of these are unrelated to the running for Jpsonic server. However at Jpsonic, we believe it is very important to keep platform caveats to a minimum. Too many warnings can hide a really big problem 馃檮
馃惀Maintenance
Fix not to install curl on Alpine
Alpine's Jpsonic image had curl installed. This has been changed so that it is no longer installed as it was only used during testing. (Fixed to use "curl on Github" during testing.) CVE-2024-0853 Basically, our policy is to eliminate unnecessary modules.
CVE warning counts are transitive. However, at the time this patch is released, the analysis results for the entire Docker image will be as follows.
Jpsonic - Alpine
Jpsonic - Ubunts (Jammy)
What's the last CVE warning?
The last CVE warning is CVE-2024-25062. This has already been resolved in the upstream Alpine.
In other words, there is a problem with Jpsonic's layer. You can use the following command to find out where the problem occurs.
docker exec jpsonic apk info -r libxml2
If ffmpeg is updated in the near future, this may be resolved.False positive ? 馃檮(I do not consider this warning to be serious.)
A few days later, security checks on Docker no longer display warnings regarding CVE-2024-25062. It seems like it was a false positive after all.