nodejs 12 & 14 contain nodejs packages with CVEs

[cdloh]

Was building a base image off the AWS Lambda images and scanning with trivy and noted that both have NodeJS packages installed with known CVEs against them.

$ trivy image public.ecr.aws/lambda/nodejs:12
2021-12-09T15:07:37.864Z    INFO    Detected OS: amazon
2021-12-09T15:07:37.864Z    INFO    Detecting Amazon Linux vulnerabilities...
2021-12-09T15:07:37.868Z    INFO    Number of language-specific files: 2
2021-12-09T15:07:37.868Z    INFO    Detecting gobinary vulnerabilities...
2021-12-09T15:07:37.868Z    INFO    Detecting node-pkg vulnerabilities...

public.ecr.aws/lambda/nodejs:12 (amazon 2 (Karoo))
==================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

$ trivy image public.ecr.aws/lambda/nodejs:14
2021-12-09T15:07:43.241Z    INFO    Detected OS: amazon
2021-12-09T15:07:43.241Z    INFO    Detecting Amazon Linux vulnerabilities...
2021-12-09T15:07:43.246Z    INFO    Number of language-specific files: 2
2021-12-09T15:07:43.246Z    INFO    Detecting gobinary vulnerabilities...
2021-12-09T15:07:43.246Z    INFO    Detecting node-pkg vulnerabilities...

public.ecr.aws/lambda/nodejs:14 (amazon 2 (Karoo))
==================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Node.js (node-pkg)
==================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| ansi-regex  | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular           |
|             |                  |          |                   |               | expression denial of service         |
|             |                  |          |                   |               | (ReDoS) matching ANSI escape codes   |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3807 |
+             +                  +          +-------------------+               +                                      +
|             |                  |          | 4.1.0             |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
|             |                  |          |                   |               |                                      |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+
| json-schema | CVE-2021-3918    | CRITICAL | 0.2.3             | 0.4.0         | nodejs-json-schema: Prototype        |
|             |                  |          |                   |               | pollution vulnerability              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3918 |
+-------------+------------------+----------+-------------------+---------------+--------------------------------------+

usr/local/bin/aws-lambda-rie (gobinary)
=======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[cdloh]

Updating NPM to the latest version fixes it.

npm install npm@latest -g

[theo-staizen]

Updating NPM to the latest version fixes it.

npm install npm@latest -g

can we get a refund for every compute minute wasted installing latest npm?

[catmeme]

Adding RUN npm install npm@latest -g didn't make a difference for me.