azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains FedRAMP vulnerability on npm dependency - ip v2.0.0

Open EldarZ opened this issue 1 year ago • 0 comments

The latest version of mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains Fedramp vulnerability in npm dependencies on package 'ip' version 2.0.0 (CVE-2023-42282).

'ip' fixed the vulnerability with their 2.0.1 release.

npm team handled that here: https://github.com/npm/cli/issues/7216

npm fixed the vulnerability here: https://github.com/npm/cli/pull/7238

npm released the fixes in npm version 10.5.0 and 9.9.3.

mcr.microsoft.com/cbl-mariner/base/nodejs 18 still contains this vulnerability:

~ docker images | grep nodejs mcr.microsoft.com/cbl-mariner/base/nodejs 18 ce7a4d78cb69 5 days ago 128MB ~ docker run -it ce7a4d78cb69 npm -v 9.8.1

Expected behavior updated npm package with no Fedramp vulnerabilities.

EldarZ avatar Apr 10 '24 12:04 EldarZ