Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update to node.js 20.18.0 #1224

Merged
merged 1 commit into from
Oct 3, 2024
Merged

fix(deps): update to node.js 20.18.0 #1224

merged 1 commit into from
Oct 3, 2024

Conversation

MikeMcC399
Copy link
Collaborator

Issue

Concerning

Image Debian Published Version
cypress/base 12.6 Aug 26, 2024 20.17.0
cypress/browsers 12.7 Sep 25, 2024 node-20.17.0-chrome-129.0.6668.70-1-ff-130.0.1-edge-129.0.2792.52-1
cypress/included 12.7 Sep 25, 2024 13.15.0 
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/base:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/browsers:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/included:latest

reports critical fixed issues not yet installed, for example with cypress/base:latest:

cypress/base:latest (debian 12.7)

Total: 5 (CRITICAL: 5)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version    │                            Title                            │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ git       │ CVE-2024-32002 │ CRITICAL │ fixed  │ 1:2.39.2-1.1      │ 1:2.39.5-0+deb12u1 │ git: Recursive clones RCE                                   │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-32002                  │
├───────────┤                │          │        │                   │                    │                                                             │
│ git-man   │                │          │        │                   │                    │                                                             │
│           │                │          │        │                   │                    │                                                             │
├───────────┼────────────────┤          │        ├───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat1 │ CVE-2024-45490 │          │        │ 2.5.0-1           │ 2.5.0-1+deb12u1    │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45491 │          │        │                   │                    │ libexpat: Integer Overflow or Wraparound                    │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45492 │          │        │                   │                    │ libexpat: integer overflow                                  │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────┴─────────────────────────────────────────────────────────────┘

Change

In factory/.env, bump environment variables:

to rebuild all images including latest Debian 12.x published fixes from the Debian repository.

Verify

cd factory
docker compose build factory
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory
docker compose build base
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/base
docker compose build browsers
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/browsers
docker compose build included
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/included:latest

should show for each image variant that there are no longer any (critical) vulnerabilities:

Total: 0 (CRITICAL: 0)

@cypress-app-bot
Copy link

@MikeMcC399 MikeMcC399 self-assigned this Oct 3, 2024
@MikeMcC399 MikeMcC399 mentioned this pull request Oct 3, 2024
Closed
4 tasks
@MikeMcC399 MikeMcC399 marked this pull request as ready for review October 3, 2024 18:36
@jennifer-shehane jennifer-shehane merged commit 5d24632 into cypress-io:master Oct 3, 2024
33 checks passed
@MikeMcC399

This comment was marked as resolved.

Sign in to view
@MikeMcC399 MikeMcC399 deleted the update/node branch October 4, 2024 05:47
@MikeMcC399

This comment was marked as resolved.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane approved these changes

Assignees

@MikeMcC399 MikeMcC399

Labels
bug topic: build process
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Latest Debian 12.x fixes not deployed
3 participants
@MikeMcC399 @cypress-app-bot @jennifer-shehane