Open joewragg opened 2 months ago
Thanks for reporting, do you have any suggestion on how to fix this?
It looks like most of these vulnerabilities are debian packages so looking at your dockerfile they maybe come from node:20-bookworm-slim
?
Given that all these CVEs are 2024 and you haven't released since Jan I would imagine doing another release of vroom perhaps v1.14.1
would fix the issue.
By releasing again you're grabbing a more up to date node image it's looking like the latest node 20 bookworm has no HIGH or CRITICAL vulnerabilities in it.
I've just built a fresh image of vroom-docker getting:
Node.js (node-pkg)
==================
Total: 6 (HIGH: 4, CRITICAL: 2)
so a rerelease would be a massive improvement
Additionally do you plan to release vroom-docker on a regular basis? Otherwise we may go ahead and release it ourselves on a more regular basis for our security needs
Releases for vroom-docker
typically follow the upstream release process, see #80 on the workflow.
Total: 24 (HIGH: 24, CRITICAL: 0)