search

sclorg / s2i-nodejs-container

NodeJS images based on Red Hat Software Collections and intended for OpenShift and general usage, that provide a platform for building and running NodeJS applications. Users can choose between Red Hat Enterprise Linux, Fedora, and CentOS based images.
http://softwarecollections.org
Apache License 2.0
164 stars 286 forks source link

nodejs/npm update for nodejs-20-minimal #429

Open slowtick opened 3 weeks ago

slowtick commented 3 weeks ago

Container platform

OCP 4

Version

ubi9/nodejs-20-minimal:1-37.1712566503

OS version of the container image

RHEL 9

Bugzilla, Jira

No response

Description

npm packaged in this image depends on vulnerable ip package - CVE-2023-42282 and apps built with this base image gets flagged out in scanners with critical vulnerability. Though the vulnerable code is never called by npm, we could not convince audit.

npm v10.5.0 / nodejs v20.12.0 includes fixes for this vulnerability.

Are there plans to upgrade node package to 20.12.x? Or would you recommend us install node 20.12.x on ubi9/minimal base image?

Reproducer

  1. Build a nodejs app with ubi9/nodejs-20-minimal:1-37.1712566503
  2. Scan the built image with twistlock/prisma
  3. Reports critical vulnerability in the built image
zmiklank commented 2 weeks ago

Hello @slowtick. IIUC, it is as you said - the ubi9/nodejs-20-minimal:1-37.1712566503 container image is not vulnerable to CVE-2023-42282, because it does not use the vulnerable part of the code. However, there is a plan to rebase node to 20.12.x, however it may take a while until the change is propagated to the container image. Please note that I am not a npm maintainer, so my information can be imprecise. Maybe @khardix could know more.

khardix commented 2 weeks ago

Rebase to 20.12.x is in the works. I would advise waiting for that (shouldn't be long; can't be more specific).

slowtick commented 2 weeks ago

Glad to hear 20.12.x would be coming, official package would be best for us. Will wait for it / watch for updates here.