yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload. #1235
Comments
|
I don't believe we use this in our images do we? |
|
Yes, It was reported when the node image 12.16.1-alpine3.11 was scanned using aqua container scanner. Full path to resource: /usr/local/lib/node_modules/npm/node_modules/yargs-parser |
|
That would be the version of NPM that ships with Node, there is nothing that we can change in the image for that |
|
Do you have any suggestion on how do we address this vulnerability? |
|
You could updated the global NPM install on your image with |
|
Sure, we could try that. Not sure why can't this be fixed within the container by pulling the node_modules used so that the vulnerability is fixed for everyone who pulls the node image. |
|
@seekjp Using a different npm version than that which ships with the specified node version is a divergence that the maintainers likely don't want to introduce. We're running into a similar issue ourselves with the vulnerability scan - but right now I'm not sure we have an answer outside of building a new container with the updated npm version |
|
@STLMikey - Thanks. So getting the npm version updated and published as a new base image into our docker repo is the way to go in this case. |
|
@seekjp Yes - that's what we'll be doing as well. Looks like node14 has an updated npm version, so that's the timeline for switching back to an official base. In our case, we use the alpine image, so copying that Dockerfile and modifying the install command to include a specific version of NPM If you're just scanning the final result, your own Dockerfile can just use |
|
@STLMikey RUN cd /usr/local/lib/node_modules/npm && npm install yargs-parser@13.1.2 |
https://nvd.nist.gov/vuln/detail/CVE-2020-7608
Can we please include the patched version of the dependency
The text was updated successfully, but these errors were encountered: