yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "__proto__" payload.

[seekjp]

https://nvd.nist.gov/vuln/detail/CVE-2020-7608

Can we please include the patched version of the dependency

[LaurentGoderre]

I don't believe we use this in our images do we?

[seekjp]

Yes, It was reported when the node image 12.16.1-alpine3.11 was scanned using aqua container scanner.

Full path to resource: /usr/local/lib/node_modules/npm/node_modules/yargs-parser

[nschonni]

That would be the version of NPM that ships with Node, there is nothing that we can change in the image for that

[seekjp]

Do you have any suggestion on how do we address this vulnerability?

[nschonni]

You could updated the global NPM install on your image with npm install --global npm, but that wouldn't be something that would be added here

[seekjp]

Sure, we could try that. Not sure why can't this be fixed within the container by pulling the node_modules used so that the vulnerability is fixed for everyone who pulls the node image.

[STLMikey]

@seekjp Using a different npm version than that which ships with the specified node version is a divergence that the maintainers likely don't want to introduce. We're running into a similar issue ourselves with the vulnerability scan - but right now I'm not sure we have an answer outside of building a new container with the updated npm version

[seekjp]

@STLMikey - Thanks. So getting the npm version updated and published as a new base image into our docker repo is the way to go in this case.

[STLMikey]

@seekjp Yes - that's what we'll be doing as well. Looks like node14 has an updated npm version, so that's the timeline for switching back to an official base.

In our case, we use the alpine image, so copying that Dockerfile and modifying the install command to include a specific version of NPM && npm install -g npm@6.14.4 \ && npm --version seems to be working, although we are still in early stages. Be careful modifying the npm install command later in the Dockerfile as many vulnerability scans will scan each layer of the image, not just the final result.

If you're just scanning the final result, your own Dockerfile can just use npm install -g npm@6.14.4 (6.14.4 is at least the version that fixes our vulnerability scan, your mileage may vary)

[seekjp]

@STLMikey
Updated version of yargs-parser has not been included in the latest version on npm, so we ended up updating it like below at the end of the Dockerfile for our base.

RUN cd /usr/local/lib/node_modules/npm && npm install yargs-parser@13.1.2
RUN cd /usr/local/lib/node_modules/npm/node_modules/yargs && npm install yargs-parser@13.1.2