Skip to content

fix(security): upgrade npm in Docker images to patch CVE-2026-33671/33672/45149/33750/42338#64

Merged
dzhhem merged 4 commits into
masterfrom
fix/security-bump-npm-docker-bundled-deps
May 20, 2026
Merged

fix(security): upgrade npm in Docker images to patch CVE-2026-33671/33672/45149/33750/42338#64
dzhhem merged 4 commits into
masterfrom
fix/security-bump-npm-docker-bundled-deps

Conversation

@dzhhem
Copy link
Copy Markdown
Collaborator

@dzhhem dzhhem commented May 20, 2026

Description

Upgrades npm to latest in the base and runner stages of all three Dockerfiles (apps/api, apps/bot, apps/web).

All five CVEs reside in npm's own bundled dependencies at usr/local/lib/node_modules/npm/node_modules/ — not in project dependencies managed by pnpm. The node:24-alpine base image ships with an npm version that bundles outdated picomatch, brace-expansion, and ip-address. Upgrading npm globally replaces its bundled internals with patched versions.

Both base and runner stages are patched because Trivy scans the final image layer (runner) separately.

Closes #63

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

How Has This Been Tested?

Trivy scan runs automatically on this PR via CI (release.yml). Results are visible in the Security → Code scanning alerts tab of this PR.

  • Unit tests (Jest/Vitest)
  • Integration tests
  • Manual testing (CI Trivy scan on PR branch)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have documented non-obvious behavior or constraints where necessary
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • (If API) Database migrations have been created and tested
  • (If UI) Changes look good on mobile and desktop

@dzhhem
fix(security): upgrade npm in Docker images to patch picomatch, brace…
e40b1d4 
…-expansion, ip-address CVEs

  CVEs addressed:
  - CVE-2026-33671 (HIGH)  picomatch 4.0.3 → 4.0.4  ReDoS via extglob   - CVE-2026-33672 (MEDIUM) picomatch 4.0.3 → 4.0.4  method injection via POSIX bracket
  - CVE-2026-45149 (MEDIUM) brace-expansion 5.0.4 → 5.0.6  large numeric range DoS
  - CVE-2026-33750 (MEDIUM) brace-expansion 5.0.4 → 5.0.5  zero-step DoS
  - CVE-2026-42338 (MEDIUM) ip-address 10.1.0 → 10.1.1

  All vulns live in npm's own bundled deps at usr/local/lib/node_modules/npm/node_modules/.
  Fix: upgrade npm@latest in base and runner stages of all three Dockerfiles.
@dzhhem dzhhem requested a review from BODMAT May 20, 2026 07:03
@dzhhem dzhhem self-assigned this May 20, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fin-track-web Ready Ready Preview, Comment May 20, 2026 8:32am

@dzhhem dzhhem merged commit a2df3e6 into master May 20, 2026
17 checks passed
@dzhhem dzhhem deleted the fix/security-bump-npm-docker-bundled-deps branch May 20, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BODMAT BODMAT BODMAT approved these changes

Assignees

@dzhhem dzhhem

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: CVE vulnerabilities in npm bundled dependencies inside Docker images

2 participants

@dzhhem @BODMAT