Skip to content

UID2-7411: bump base image and remediate HIGH/CRITICAL vulns in docker-path images#193

Merged
BehnamMozafari merged 2 commits into
mainfrom
bmz-UID2-7411-tcportal-base-bump
Jul 2, 2026
Merged

UID2-7411: bump base image and remediate HIGH/CRITICAL vulns in docker-path images#193
BehnamMozafari merged 2 commits into
mainfrom
bmz-UID2-7411-tcportal-base-bump

Conversation

@BehnamMozafari

Copy link
Copy Markdown
Contributor

UID2-7411

Remediates HIGH/CRITICAL vulnerabilities in the docker-path images (Dockerfile_uid2uid2-tcportal, Dockerfile_euideuid-tcportal) so they build clean at the new CRITICAL,HIGH Trivy floor. Unblocks IABTechLab/uid2-shared-actions#246.

What changed

  • Base image bump (both Dockerfiles): node:20.11.0-alpine3.18node:20-alpine3.21. App requires node>=20.11, so node:20-* is safe.
  • apk upgrade --no-cache during build to pull patched Alpine 3.21 OS packages, clearing the OS-level HIGH/CRITICALs: libcrypto3/libssl3 (→3.3.7-r0), musl/musl-utils (→1.2.5-r11), zlib (→1.3.2-r0).
  • npm install -g npm@latest during build to update the base-image-bundled npm, clearing its transitive HIGHs: cross-spawn, glob (CVE-2025-64756), minimatch (CVE-2026-27903/27904), tar (multiple).
  • package.json overrides/resolutions: pin flatted>=3.4.2 (CVE-2026-32141, CVE-2026-33228) and fast-uri>=3.1.2 (CVE-2026-6321, CVE-2026-6322). yarn.lock regenerated (flatted→3.4.2, fast-uri→4.1.0).
  • yarn cache clean after install to drop stale cached tarballs from the image.

No new .trivyignore entries were needed — every finding had a real upstream fix. The existing CVE-2026-26996 minimatch suppression remains in place and still applies.

Verification

Built --platform linux/amd64 and scanned with trivy image --platform linux/amd64 --severity CRITICAL,HIGH --scanners vuln --ignorefile ./.trivyignore (trivy 0.72.0). trivy 0.72 renders a "Report Summary" table; every target (alpine OS + all node-pkg targets) reports 0, and the JSON vulnerability count is 0 for both images.

uid2-tcportal-test: Total: 0 (HIGH: 0, CRITICAL: 0)

euid-tcportal-test: Total: 0 (HIGH: 0, CRITICAL: 0)

🤖 Generated with Claude Code

…r-path images

Bump both Dockerfiles from node:20.11.0-alpine3.18 to node:20-alpine3.21,
apk upgrade to pull patched Alpine OS packages (libcrypto3/libssl3/musl/zlib),
update the base-image-bundled npm to clear its transitive vulns
(cross-spawn/glob/minimatch/tar), and pin flatted>=3.4.2 and fast-uri>=3.1.2
via package.json overrides/resolutions. Both uid2-tcportal and euid-tcportal
images now scan clean at CRITICAL,HIGH.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@BehnamMozafari
BehnamMozafari force-pushed the bmz-UID2-7411-tcportal-base-bump branch from 1bef4a5 to 81df7f1 Compare July 1, 2026 23:48
Comment thread package.json Outdated
swibi-ttd
swibi-ttd previously approved these changes Jul 2, 2026
ajv@8.18.0 declares fast-uri as ^3.0.1; the prior >=3.1.2 override
resolved to 4.1.0, a major version ajv was never tested against.
3.1.3 already contains fixes for CVE-2026-6321, CVE-2026-6322, and
GHSA-4c8g-83qw-93j6, so pinning there closes the same vulns without
the unnecessary major bump. Verified 0 HIGH/CRITICAL findings via
trivy on the rebuilt image.
@BehnamMozafari
BehnamMozafari merged commit 21d900c into main Jul 2, 2026
4 checks passed
@BehnamMozafari
BehnamMozafari deleted the bmz-UID2-7411-tcportal-base-bump branch July 2, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants