Multiple Vulnerabilities in Mermaid CLI Container

[apeacock1991]

Describe the bug

There are numerous reported vulnerabilities in libraries used in the Mermaid CLI Docker container.

To Reproduce

Grype detects them, here's a screenshot:

Would it be possible to get these updated? (no idea how complex it is!)

Expected behavior

There should be no reported vulnerabilities.

[aloisklink]

Thanks for the report! I've ran grype again on the latest Mermaid CLI Docker container, and it looks like all the vulnerabilities shown above have been fixed, but there are a bunch of new vulnerabilities.

grype report as of 2023-03-22

```console root@38bdbd95ea66:~# grype ghcr.io/mermaid-js/mermaid-cli/mermaid-cli ✔ Vulnerability DB [no update available] ✔ Parsed image ✔ Cataloged packages [579 packages] ✔ Scanning image... [119 vulnerabilities] ├── 2 critical, 25 high, 84 medium, 8 low, 0 negligible └── 0 fixed NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY chromium 110.0.5481.177-r0 apk CVE-2008-5915 Low chromium 110.0.5481.177-r0 apk CVE-2009-1598 High chromium 110.0.5481.177-r0 apk CVE-2010-1731 Medium chromium 110.0.5481.177-r0 apk CVE-2011-3389 Medium chromium 110.0.5481.177-r0 apk CVE-2012-4929 Low chromium 110.0.5481.177-r0 apk CVE-2012-4930 Low chromium 110.0.5481.177-r0 apk CVE-2013-6647 Critical chromium 110.0.5481.177-r0 apk CVE-2013-6662 Medium chromium 110.0.5481.177-r0 apk CVE-2015-4000 Low chromium 110.0.5481.177-r0 apk CVE-2016-7152 Medium chromium 110.0.5481.177-r0 apk CVE-2016-7153 Medium chromium 110.0.5481.177-r0 apk CVE-2018-10229 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1213 High chromium 110.0.5481.177-r0 apk CVE-2023-1214 High chromium 110.0.5481.177-r0 apk CVE-2023-1215 High chromium 110.0.5481.177-r0 apk CVE-2023-1216 High chromium 110.0.5481.177-r0 apk CVE-2023-1217 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1218 High chromium 110.0.5481.177-r0 apk CVE-2023-1219 High chromium 110.0.5481.177-r0 apk CVE-2023-1220 High chromium 110.0.5481.177-r0 apk CVE-2023-1221 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1222 High chromium 110.0.5481.177-r0 apk CVE-2023-1223 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1224 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1225 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1226 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1227 High chromium 110.0.5481.177-r0 apk CVE-2023-1228 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1229 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1230 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1231 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1232 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1233 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1234 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1235 Medium chromium 110.0.5481.177-r0 apk CVE-2023-1236 Medium cups-libs 2.4.2-r1 apk CVE-2018-6553 High ffmpeg-libs 5.1.2-r1 apk CVE-2022-3964 High ffmpeg-libs 5.1.2-r1 apk CVE-2022-3965 High libpng 1.6.38-r0 apk CVE-2022-3857 Medium tiff 4.4.0-r1 apk CVE-2015-7313 Medium tiff 4.4.0-r1 apk CVE-2022-2953 Medium tiff 4.4.0-r1 apk CVE-2022-3570 Medium tiff 4.4.0-r1 apk CVE-2022-3597 Medium tiff 4.4.0-r1 apk CVE-2022-3598 Medium tiff 4.4.0-r1 apk CVE-2022-3599 Medium tiff 4.4.0-r1 apk CVE-2022-3626 Medium tiff 4.4.0-r1 apk CVE-2022-3627 Medium tiff 4.4.0-r1 apk CVE-2022-3970 High tiff 4.4.0-r1 apk CVE-2022-4645 Medium tiff 4.4.0-r1 apk CVE-2022-48281 Medium tiff 4.4.0-r1 apk CVE-2023-0795 Medium tiff 4.4.0-r1 apk CVE-2023-0796 Medium tiff 4.4.0-r1 apk CVE-2023-0797 Medium tiff 4.4.0-r1 apk CVE-2023-0798 Medium tiff 4.4.0-r1 apk CVE-2023-0799 Medium tiff 4.4.0-r1 apk CVE-2023-0800 Medium tiff 4.4.0-r1 apk CVE-2023-0801 Medium tiff 4.4.0-r1 apk CVE-2023-0802 Medium tiff 4.4.0-r1 apk CVE-2023-0803 Medium tiff 4.4.0-r1 apk CVE-2023-0804 Medium ```

Type apk vulnerabilities

For all the TYPE: apk vulnerabilities, you're probably best off reporting them to Alpine Linux directly.

For example, currently tiff has a bunch of CVEs, and the relevant aports issue is: https://gitlab.alpinelinux.org/alpine/aports/-/issues/14698

Once they're fixed in Alpine Linux, the next time a Mermaid CLI Docker container image is built, it should pull down the fixed version automatically.

https://github.com/mermaid-js/mermaid-cli/blob/319578bca0d50c9ec7fddfe4dd3b8cf73e5b118e/install-dependencies.sh#L5-L8

Type npm vulnerabilities

We do use GitHub's @dependabot to automatically update our NPM dependencies, so any vulnerabilities should be fixed automatically once an update is released.

---

I'm going to close this issue, as I'm not really sure how we can improve this, but if you have any recommendations on how we can improve things, please let us know!