azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains FedRAMP vulnerability on npm dependency - 'tar' v6.2.0

Open EldarZ opened this issue 1 year ago • 1 comments

The latest version of mcr.microsoft.com/cbl-mariner/base/nodejs:18 contains Fedramp vulnerability in npm dependencies on package 'tar' version 6.2.0 (CVE-2024-28863)

'tar' fixed the vulnerability with their 6.2.1 release.

npm fixed the vulnerability here: https://github.com/npm/cli/commit/9ccff72c332e6062e6ebcf8123c7888d8d617091

npm released the fixes in npm version 10.8.1

mcr.microsoft.com/cbl-mariner/base/nodejs 18 latest NPM version is 10.5.0 (still contains this vulnerability):

docker run mcr.microsoft.com/cbl-mariner/base/nodejs:18 npm -v
10.5.0

Expected behavior: updated npm package with no Fedramp vulnerabilities.

EldarZ avatar Jun 06 '24 07:06 EldarZ

Addressing in PR #9372.

nisamson avatar Jun 10 '24 23:06 nisamson

This seems safe to close now as these have been patched.

jperrin avatar Dec 14 '24 00:12 jperrin