Fix CVE-2024-21538 vulnerability #3153

mkurapov · 2024-12-05T11:53:54Z

Context

Our Docker image scanning checks are failing because of cross-spawn v7.0.3 vulnerability CVE-2024-21538 :

NAME         INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY 
cross-spawn  7.0.3      7.0.5     npm   GHSA-3xgq-45jj-v275  High      
libcrypto3   3.1.7-r0   3.1.7-r1  apk   CVE-2024-9143        Medium    
libssl3      3.1.7-r0   3.1.7-r1  apk   CVE-2024-9143        Medium    
micromatch   4.0.5      4.0.8     npm   GHSA-952p-6rrq-rcjv  Medium

More details: after adding overrides in #3154, we are still failing our vulnerability scans. This is because the package is used in npm, and even though npm was updated with the fix in 10.9.1: npm/cli#7902, npm needs to be updated in our node 20 version as well, which seems to be blocked. Once Node is updated with the latest npm version, this vulnerability will be fixed.

The text was updated successfully, but these errors were encountered:

mkurapov self-assigned this Dec 5, 2024

github-project-automation bot added this to Rafiki Dec 5, 2024

github-project-automation bot moved this to Backlog in Rafiki Dec 5, 2024

mkurapov mentioned this issue Dec 5, 2024

chore: add override for cross-spawn vulnerability #3154

Merged

6 tasks

mkurapov moved this from Backlog to In Progress in Rafiki Dec 6, 2024

mkurapov changed the title ~~Fix cross-spawn vulnerability~~ Fix CVE-2024-21538 vulnerability Dec 6, 2024

mkurapov moved this from In Progress to Backlog in Rafiki Dec 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CVE-2024-21538 vulnerability #3153

Fix CVE-2024-21538 vulnerability #3153

mkurapov commented Dec 5, 2024 •

edited

Loading

Fix CVE-2024-21538 vulnerability #3153

Fix CVE-2024-21538 vulnerability #3153

Comments

mkurapov commented Dec 5, 2024 • edited Loading

Context

mkurapov commented Dec 5, 2024 •

edited

Loading