Skip to content

nodejs/npm update for nodejs-20-minimal #429

Open
@slowtick

Description

@slowtick

Container platform

OCP 4

Version

ubi9/nodejs-20-minimal:1-37.1712566503

OS version of the container image

RHEL 9

Bugzilla, Jira

No response

Description

npm packaged in this image depends on vulnerable ip package - CVE-2023-42282 and apps built with this base image gets flagged out in scanners with critical vulnerability. Though the vulnerable code is never called by npm, we could not convince audit.

npm v10.5.0 / nodejs v20.12.0 includes fixes for this vulnerability.

Are there plans to upgrade node package to 20.12.x? Or would you recommend us install node 20.12.x on ubi9/minimal base image?

Reproducer

  1. Build a nodejs app with ubi9/nodejs-20-minimal:1-37.1712566503
  2. Scan the built image with twistlock/prisma
  3. Reports critical vulnerability in the built image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions