SimenB
commented
4 months ago That needs to be fixed in ip, then adopted in npm, then npm must be updated in node. At that point the fix will trickle down to the docker image
Closed moshen-maverick closed 4 months ago
SimenB
commented
4 months ago That needs to be fixed in ip, then adopted in npm, then npm must be updated in node. At that point the fix will trickle down to the docker image
moshen-maverick
commented
4 months ago But it looks like the IP project is not maintained anymore. Last commit was 2 years ago. You need to remove/replace the package.
meyfa
commented
4 months ago npm is a separate product and not maintained by Node.js, much less the Node.js Docker folks. You need to raise this with npm Inc.
tom-applab
commented
4 months ago Hi @SimenB @meyfa. I am still facing this issue and would appreciate your help and guidance. From my analysis, the IP package used by the node image is version 2.0.0. Fix suggestions show that this vulnerability has been fixed for versions 1.1.9 and 2.0.1. The base image I am using: node:20.11.0-bookworm-slim If the fixes are rolled out, could you guide me to the best image or advice on how to patch this? I tried manually updating the IP package in the Dockerfile, but it does not work and all of the variations of the node base image I checked (including 20.11.1) still show this vulnerability.
nschonni
commented
4 months ago
Environment
Expected Behavior
trivy image scan should pass
Current Behavior
trivy reports a high Severity CVE-2023-42282 for ip (package.json). /usr/local/lib/node_modules/npm/node_modules/ip/package.json
This breaks our build.
Possible Solution
Steps to Reproduce
trivy image --format json node:20.11-alpine3.18
Additional Information