Replies: 3 comments
-
cc @nodejs/docker |
Beta Was this translation helpful? Give feedback.
-
We don't maintain the Node package in APK, so I doubt anyone on the node docker has much to contribute here. We do maintain an image with Alpine though that we recommend you to use: https://hub.docker.com/layers/node/library/node/12.22.1-alpine3.12/images/sha256-83233f79a40109329a5c29e4aa42013ddb65c649388f42ff1f889b68849d8de6?context=explore We don't have a 3.13 release, for that you must upgrade to a newer release of node. There is nodejs/docker-node#1439, though, so maybe in the future |
Beta Was this translation helpful? Give feedback.
-
I don't think we can tell you which path to take without better understanding how the scanner works. I do know that some scanners have problems with multiple streams and keep encouraging you to upgrade to the latest stream the vuln is fixed in. Whether that is the case in what you are seeing something you'd have to figure out to decide. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I've encountered a security dispute while working with nodejs and I'd appreciate the opinions of the node community and maintainers on this important subject.
I've recently upgraded my nodejs package version to v12.20.1 on my Alpine image, through Alpine's package manager, APK (release notes: https://nodejs.org/en/blog/release/v12.20.1/). As you will see in the release notes, one of the vulnerabilities that is fixed in this version, is CVE-2020-8265.
I've also upgraded my Alpine image to Alpine v3.13. However, looking into Alpine's v3.13 release notes (here: https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable) you'll see that this same vulnerability appears, in Alpine's security advisory, to be fixed only in nodejs v14.15.4-r0.
I am running a vulnerability scanner on my Alpine 3.13 image, and it identifies CVE-2020-8265, even though it was supposed to be fixed in as early as nodejs v12.20.1, as stated above.
And therefore - the dispute.
My question: Should I consider this vulnerability a false positive, and follow the release notes of node? Or should I use Alpine's determination and upgrade my nodejs version to v14.15.4-r0, where Alpine claim it to be fixed?
Thank you very much!
Beta Was this translation helpful? Give feedback.
All reactions