UID2-7411: bump base image and remediate HIGH/CRITICAL vulns in docker-path images#193
Merged
Merged
Conversation
…r-path images Bump both Dockerfiles from node:20.11.0-alpine3.18 to node:20-alpine3.21, apk upgrade to pull patched Alpine OS packages (libcrypto3/libssl3/musl/zlib), update the base-image-bundled npm to clear its transitive vulns (cross-spawn/glob/minimatch/tar), and pin flatted>=3.4.2 and fast-uri>=3.1.2 via package.json overrides/resolutions. Both uid2-tcportal and euid-tcportal images now scan clean at CRITICAL,HIGH. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
BehnamMozafari
force-pushed
the
bmz-UID2-7411-tcportal-base-bump
branch
from
July 1, 2026 23:48
1bef4a5 to
81df7f1
Compare
swibi-ttd
reviewed
Jul 2, 2026
swibi-ttd
previously approved these changes
Jul 2, 2026
ajv@8.18.0 declares fast-uri as ^3.0.1; the prior >=3.1.2 override resolved to 4.1.0, a major version ajv was never tested against. 3.1.3 already contains fixes for CVE-2026-6321, CVE-2026-6322, and GHSA-4c8g-83qw-93j6, so pinning there closes the same vulns without the unnecessary major bump. Verified 0 HIGH/CRITICAL findings via trivy on the rebuilt image.
swibi-ttd
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
UID2-7411
Remediates HIGH/CRITICAL vulnerabilities in the docker-path images (
Dockerfile_uid2→uid2-tcportal,Dockerfile_euid→euid-tcportal) so they build clean at the newCRITICAL,HIGHTrivy floor. Unblocks IABTechLab/uid2-shared-actions#246.What changed
node:20.11.0-alpine3.18→node:20-alpine3.21. App requiresnode>=20.11, sonode:20-*is safe.apk upgrade --no-cacheduring build to pull patched Alpine 3.21 OS packages, clearing the OS-level HIGH/CRITICALs:libcrypto3/libssl3(→3.3.7-r0),musl/musl-utils(→1.2.5-r11),zlib(→1.3.2-r0).npm install -g npm@latestduring build to update the base-image-bundled npm, clearing its transitive HIGHs:cross-spawn,glob(CVE-2025-64756),minimatch(CVE-2026-27903/27904),tar(multiple).package.jsonoverrides/resolutions: pinflatted>=3.4.2(CVE-2026-32141, CVE-2026-33228) andfast-uri>=3.1.2(CVE-2026-6321, CVE-2026-6322).yarn.lockregenerated (flatted→3.4.2, fast-uri→4.1.0).yarn cache cleanafter install to drop stale cached tarballs from the image.No new
.trivyignoreentries were needed — every finding had a real upstream fix. The existingCVE-2026-26996minimatch suppression remains in place and still applies.Verification
Built
--platform linux/amd64and scanned withtrivy image --platform linux/amd64 --severity CRITICAL,HIGH --scanners vuln --ignorefile ./.trivyignore(trivy 0.72.0). trivy 0.72 renders a "Report Summary" table; every target (alpine OS + all node-pkg targets) reports 0, and the JSON vulnerability count is 0 for both images.uid2-tcportal-test:
Total: 0 (HIGH: 0, CRITICAL: 0)euid-tcportal-test:
Total: 0 (HIGH: 0, CRITICAL: 0)🤖 Generated with Claude Code