Open
Description
Container platform
OCP 4
Version
ubi9/nodejs-20-minimal:1-37.1712566503
OS version of the container image
RHEL 9
Bugzilla, Jira
No response
Description
npm packaged in this image depends on vulnerable ip package - CVE-2023-42282 and apps built with this base image gets flagged out in scanners with critical vulnerability. Though the vulnerable code is never called by npm, we could not convince audit.
npm v10.5.0 / nodejs v20.12.0 includes fixes for this vulnerability.
Are there plans to upgrade node package to 20.12.x? Or would you recommend us install node 20.12.x on ubi9/minimal base image?
Reproducer
- Build a nodejs app with ubi9/nodejs-20-minimal:1-37.1712566503
- Scan the built image with twistlock/prisma
- Reports critical vulnerability in the built image
Metadata
Metadata
Assignees
Labels
No labels