mhdawson
commented
1 month ago This is the commit in which it was pinned - https://github.com/paketo-buildpacks/npm-install/commit/0a9a25d1adc04fb313e6d9affa77bdb27ab191a6
But I can't seem to find any discussion of why in the related PR - https://github.com/paketo-buildpacks/npm-install/pull/619
But it does say that there are breaking changes in the update to versions which were pinned.
Removing the pining seems to break either the build or unit tests.
Our org is using the Jammy base builder and base runner with the latest version in my CI tool to perform builds and got the below Critical/High security vulnerabilities identified by the scanning tool for the npm-install build pack.
Impacted Layer : /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks
CVE-2022-28346 CVE-2022-28347 CVE-2022-34265 CVE-2023-31047 CVE-2021-45115 CVE-2021-45116 CVE-2022-23833 CVE-2022-36359 CVE-2022-41323
The recommended fix is to updated to version github.com/anchore/syft 0.89.0 and could see references of version 0.80.0 in the go dependencies used by the npm-install build pack.
https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L33C2-L33C45
Can this be updated to the version – 0.89.0?
Impacted Layer: /layers/paketo-buildpacks_npm-install/launch-modules/exec.d/0-setup-symlinks Installed Resource: github.com/anchore/stereoscope 0.0.0-20230412183729-8602f1afc574
CVE-2024-24579
Recommended Fix: Upgrade package github.com/anchore/stereoscope to version 0.0.1 or above.
We did notice that the underlying npm-install buildpack is using 0.0.1 in the dependency, but also getting replaced with version v0.0.0-20230412183729-8602f1afc574
https://github.com/paketo-buildpacks/npm-install/blob/main/go.mod#L159C80-L159C115
Request any guidance or help in getting these addressed with your team’s help.