The Node-red docker image v4.0.0-22-minimal uses vulnerable alpine version

node-red / node-red-docker

Repository for all things Node-RED and Docker related

Apache License 2.0

481 stars 383 forks source link

The Node-red docker image v4.0.0-22-minimal uses vulnerable alpine version #440

Open OlgasAcc opened 3 months ago

OlgasAcc commented 3 months ago

Hello,

It looks like the new image of v4.0.0-22-minimal uses alpine 3.20.0 as a base image in Dockerfile. The alpine:3.20.0 is vulnerable, but the defects have been already fixed in v.3.20.1. Could you please rebuild this docker image (in case you already use 3.20 in Dockerfile) or upgrade it to 3.20.1 (in case you explicitly set alpine:3.20.0)?

Thanks

hardillb commented 3 months ago

https://github.com/node-red/node-red-docker/blob/2f9caca1713b4ac6c60f4ec606161a3a0a31c8b1/.docker/Dockerfile.alpine#L1-L6

We have no control over underlying alpine container as it comes from the node:20-alpine base container.

We will probably respin the 4.0.0 containers soon, when I have found away to build the 32bit ARM containers again without them hanging.

hardillb commented 3 months ago

The node:20-alpine containers were only respun 8 hours ago.

knolleary commented 3 months ago

We have a 4.0.1 release coming in the next 24hrs which gets built from the latest base containers.

OlgasAcc commented 3 months ago

@hardillb, @knolleary thanks a lot for a quick response! Got you, thanks for the update