Closed lo-tp closed 2 months ago
Looking for this fix also!
I have the same issue, current workaround is: npm install -g npm@10.5.0
@valentin-nasta how did you solve it, in which step of your docker image you updated the npm version?
@e55o right after the FROM tag, like in the following block:
FROM node:20-alpine3.19
# Handle CVE-2023-42282
RUN npm install -g npm@10.5.0
@valentin-nasta I was just asking because my corporate security tools also detected a different vulnerability in npm version 10.5.0, thank you anyways!
@e55o what vulnerability in that npm version was detected, please share if you can :)
@valentin-nasta unfortunately, i don't have access to these tools to check the exact vulnerability for you :/
https://nvd.nist.gov/vuln/detail/CVE-2023-42282
It has been scored as critical.
@valentin-nasta / @e55o
@nodejs/npm
@RedYetiDev updating npm in older node versions is something the nodejs folks do.
This was fixed in npm@10.5.0 which was included in Node.js 20.12.0.
@RedYetiDev updating npm in older node versions is something the nodejs folks do.
My apologies! Next time I'll tag a nodejs LTS member.
Details
When installing node of version
v20.11.1
, it will automatically installip
of2.0.0
inusr/local/lib/node_modules/npm/node_modules/ip/
which could be maliciously exploited. Check NVD - CVE-2023-42282 for the detail about this vulnerability. Could we release a new version to update theip
package version to2.0.1
to fix the above security issue?Node.js version
20.11.1
Example code
No response
Operating system
Scope
Module and version
Not applicable.