Closed moshen-maverick closed 4 months ago
That needs to be fixed in ip, then adopted in npm, then npm must be updated in node. At that point the fix will trickle down to the docker image
But it looks like the IP project is not maintained anymore. Last commit was 2 years ago. You need to remove/replace the package.
npm is a separate product and not maintained by Node.js, much less the Node.js Docker folks. You need to raise this with npm Inc.
Hi @SimenB @meyfa. I am still facing this issue and would appreciate your help and guidance. From my analysis, the IP package used by the node image is version 2.0.0. Fix suggestions show that this vulnerability has been fixed for versions 1.1.9 and 2.0.1. The base image I am using: node:20.11.0-bookworm-slim If the fixes are rolled out, could you guide me to the best image or advice on how to patch this? I tried manually updating the IP package in the Dockerfile, but it does not work and all of the variations of the node base image I checked (including 20.11.1) still show this vulnerability.
Environment
Expected Behavior
trivy image scan should pass
Current Behavior
trivy reports a high Severity CVE-2023-42282 for ip (package.json). /usr/local/lib/node_modules/npm/node_modules/ip/package.json
This breaks our build.
Possible Solution
Steps to Reproduce
trivy image --format json node:20.11-alpine3.18
Additional Information