search

nodejs / docker-node

Official Docker Image for Node.js :whale: :turtle: :rocket:
https://hub.docker.com/_/node/
MIT License
8.13k stars 1.95k forks source link

node:lts-slim has vulnerability - CVE-2023-42282 - due to not updated npm ip package #2039

Closed MatXSz closed 3 months ago

MatXSz commented 3 months ago

Environment

Expected Behavior

node:lts-slim has npm ip package version with included fix for CVE-2023-42282 (2.0.1) Node:slim image is not vulnerable to CVE-2023-42282.

Current Behavior

node:lts-slim has not npm ip package version with included fix for CVE-2023-42282 (2.0.1) Actual version is 2.0.0.

Possible Solution

Update the npm ip package to fixed version in node:lts-slim.

meyfa commented 3 months ago

Duplicate of #2030

msaktor commented 3 months ago

npm version 10.5.0 is using socks 2.8.0 https://github.com/npm/cli/pull/7184/files

which replaced the problematic ip package https://github.com/JoshGlazebrook/socks/commit/66b7f73023697f6ffb9751b5749b1a8f9b8d5066#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519L48

it's avaiable in node versions:

>= 21.7.0
>= 20.12.0
>= 18.20.0