fix(infra): remediate all HIGH-severity CVEs in infra images#220
Merged
Conversation
trivy scan of the published infra images surfaced HIGH findings in three buckets. This clears all of them (verified: every infra image rebuilds to 0 CRITICAL / 0 HIGH on trivy --severity CRITICAL,HIGH). 1. Bundled npm CLI (the dominant source) — node:*-alpine ships an npm whose own deps (tar, glob, minimatch, cross-spawn, picomatch, undici) carry HIGH CVEs. npm `overrides` cannot touch these; upgrading npm just trades one bundled-dep CVE for another. Fix: strip npm/npx from each runtime image. None of the apps need npm at runtime — all start via `node`. overlay-server previously used `CMD ["npm","start"]`; switched to `CMD ["node","dist/index.js"]` (its start script was already just `node dist/index.js`). 2. Real application deps — added npm `overrides` and regenerated lockfiles: - wab: form-data 4.0.5 -> 4.0.6 (CVE-2026-12143), undici 6.26.0 -> 6.27.0 (CVE-2026-12151) - uhrp-server-cloud-bucket: form-data 2.5.5 -> 2.5.6 (via @types/request) + 4.0.6 (CVE-2026-12143) Overrides on the other components (tar/minimatch/glob/cross-spawn/picomatch) are defense-in-depth — those packages are not in the shipped prod trees, but the overrides pin patched versions should a future dep pull them in. 3. OS packages — chaintracks-server: apk upgrade libssl3/libcrypto3 to 3.5.7-r0 (CVE-2026-45447). Verification: rebuilt all six images locally and re-ran trivy; each reports 0 CRITICAL and 0 HIGH (was: chaintracks 13 HIGH, message-box 11, uhrp 3, wab 3, overlay 1, wallet-infra 1). Builds succeed; overlay's new node CMD resolves dist/index.js and npm is confirmed absent at runtime. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
trivy scans of the published
infra/images surfaced HIGH findings. This PR clears all of them. Verified: every infra image rebuilds to 0 CRITICAL / 0 HIGH.Findings & fixes
1. Bundled npm CLI (dominant source)
node:*-alpineships an npm whose own deps (tar,glob,minimatch,cross-spawn,picomatch,undici) carry HIGH CVEs — found atusr/local/lib/node_modules/npm/node_modules/.... npmoverridescan't touch these, and upgrading npm just swaps one bundled-dep CVE for another (npm@11.17.0 still bundles vulnerable undici 6.26.0).Fix: strip
npm/npxfrom each runtime image. No app needs npm at runtime — all start vianode.overlay-serverwas usingCMD ["npm","start"]; switched toCMD ["node","dist/index.js"](itsstartscript was already exactly that).2. Real application deps (npm overrides + regenerated lockfiles)
@types/request) + 4.0.6 (CVE-2026-12143)Overrides on the other components (tar/minimatch/glob/cross-spawn/picomatch) are defense-in-depth — not in the shipped prod trees, but pinned patched should a future dep introduce them.
3. OS packages
apk upgrade libssl3 libcrypto3→ 3.5.7-r0 (CVE-2026-45447)Before → after (HIGH count, trivy
--severity CRITICAL,HIGH)CRITICAL was 0 throughout.
Verification
Rebuilt all six images locally and re-ran trivy — each reports 0 CRITICAL / 0 HIGH. Builds succeed; overlay's new
nodeCMD resolvesdist/index.jsand npm is confirmed absent at runtime (command -v npm→ not found).🤖 Generated with Claude Code