cross-spawn 7.0.3 issue

[nittin2305]

Environment

• Platform:
• Docker Version:
• Node.js Version:
• Image Tag: node:18-alpine

Expected Behavior

High Vulnerability due to cross-spawn@7.0.3

Current Behavior

T

Possible Solution

update cross-spawn to version 7.0.5

update cross-spawn to version 7.0.5

Steps to Reproduce

Additional Information

[nschonni]

That is likely a dependency of NPM, and we do not update the image with a version of NPM except for the one shipped by Node.js. You can see if it is addressed upstream and if it will be in an upcoming Node.js release

https://github.com/nodejs/docker-node/blob/main/SECURITY.md

[ACoolmanTelicent]

For other travellers npm/cli#7902

[jeffrey-zhang]

NPM has released the new version to fix this. so, do we have any plan to rebuild and release our base image to include this fix.

[feenst]

For scanned images where npm is needed, I can update to a version of npm where this is fixed in my Dockerfile at references a published docker-node image:

FROM node:18-alpine

RUN npm install -g npm@10.9.1

For scanned images where npm is not needed (i.e. not part of a build process), I would just remove npm (and yarn):

FROM node:18-alpine

RUN npm uninstall npm -g \
    && rm -rf /opt/yarn-v$YARN_VERSION/ \
    && rm /usr/local/bin/yarn \
    && rm /usr/local/bin/yarnpkg \