Heads up of Node.js security releases 12th October 2021

[mcollina]

As per the Node.js security release process this is the FYI that there is going to be a security release 12th October 2021

[djejaquino]

@mcollina do you think CVE-2021-3807 would be patched for node:14-alpine3.14 in the referred release?

[SimenB]

Probably not, it's pulled in transitively by npm - you should ask them to update whatever is needed down their dependency tree, then that will trickle into the node distro and then into the docker image.

$ docker run -it --entrypoint=sh node:alpine -c 'npm ls -g ansi-regex'
/usr/local/lib
`-- npm@7.24.0
  +-- cli-columns@3.1.2
  | +-- string-width@2.1.1
  | | `-- strip-ansi@4.0.0
  | |   `-- ansi-regex@3.0.0
  | `-- strip-ansi@3.0.1
  |   `-- ansi-regex@2.1.1
  `-- cli-table3@0.6.0
    `-- string-width@4.2.2
      `-- strip-ansi@6.0.0
        `-- ansi-regex@5.0.0

npm/cli#3813 was included in yesterday's v8 release of npm, so you're probably out of luck though (I don't know this).

And regardless, npm@8 still pulls in a vulnerable version

$ docker run -it --entrypoint=sh node:alpine -c 'npm install -g npm && npm ls -g ansi-regex'

removed 44 packages, changed 24 packages, and audited 221 packages in 8s

10 packages are looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
npm notice
npm notice New major version of npm available! 7.24.0 -> 8.0.0
npm notice Changelog: /~https://github.com/npm/cli/releases/tag/v8.0.0
npm notice Run npm install -g npm@8.0.0 to update!
npm notice
/usr/local/lib
`-- npm@8.0.0
  +-- cli-columns@4.0.0
  | `-- strip-ansi@6.0.1
  |   `-- ansi-regex@5.0.1
  +-- cli-table3@0.6.0
  | `-- string-width@4.2.2
  |   `-- strip-ansi@6.0.0
  |     `-- ansi-regex@5.0.0
  +-- columnify@1.5.4
  | `-- strip-ansi@3.0.1
  |   `-- ansi-regex@2.1.1
  `-- npmlog@5.0.1
    `-- gauge@3.0.1
      `-- string-width@2.1.1
        `-- strip-ansi@4.0.0
          `-- ansi-regex@3.0.0

---

In summary - you need to ask npm to fix this, then when that update lands in Node it will be pulled in here. This docker image only ships what Node does.

At time of writing the latest commit on Node's master branch is an update to npm (nodejs/node#40369) which updates to version 8 - but as noted that version still transitively pulls in a vulnerable version of ansi-regex

[SimenB]

Release is out, but the MUSL builds aren't ready.

I'll be AFK the rest of the evening, /cc @nodejs/docker for others to make the update 🙂

[PeterDaveHello]

Yeah I'm also looking into this, the unofficial is always a blocker to this 😢

~/repos/docker-node $ ./update.sh 
Updating version 12...
Updating version 14...
12/bullseye/Dockerfile is already up to date!
12/bullseye-slim/Dockerfile is already up to date!
Updating version 16...
12/buster/Dockerfile is already up to date!
12/stretch/Dockerfile is already up to date!
12/buster-slim/Dockerfile is already up to date!
12/stretch-slim/Dockerfile is already up to date!
14/bullseye/Dockerfile is already up to date!
14/bullseye-slim/Dockerfile is already up to date!
14/buster/Dockerfile is already up to date!
14/stretch/Dockerfile is already up to date!
14/buster-slim/Dockerfile is already up to date!
14/stretch-slim/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
curl: (22) The requested URL returned error: 404 Not Found
12/alpine3.11/Dockerfile is already up to date!
12/alpine3.12/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
16/bullseye/Dockerfile is already up to date!
12/alpine3.13/Dockerfile is already up to date!
16/bullseye-slim/Dockerfile is already up to date!
16/buster/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
16/buster-slim/Dockerfile is already up to date!
12/alpine3.14/Dockerfile is already up to date!
16/stretch/Dockerfile is already up to date!
16/stretch-slim/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
14/alpine3.12/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
14/alpine3.11/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
curl: (22) The requested URL returned error: 404 Not Found
14/alpine3.13/Dockerfile is already up to date!
14/alpine3.14/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
16/alpine3.11/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
16/alpine3.12/Dockerfile is already up to date!
curl: (22) The requested URL returned error: 404 Not Found
curl: (22) The requested URL returned error: 404 Not Found
16/alpine3.13/Dockerfile is already up to date!
16/alpine3.14/Dockerfile is already up to date!
Done!

[mcollina]

The releases are out ad ready for integration.

[SimenB]

No, not the musl ones. https://unofficial-builds.nodejs.org/download/release/

[nschonni]

16 is out, just 14 & 12 to go, but it's moving

[nschonni]

Upstream PR docker-library/official-images#11094

[f2404]

Hello.
I used the latest Dockerfile from alpine3.14 (/~https://github.com/nodejs/docker-node/blob/main/16/alpine3.14/Dockerfile) and checked what versions of ansi-regex the container has. It seems it still contains versions ansi-regex@5.0.0, ansi-regex@2.1.1, and ansi-regex@3.0.0 that have the vulnerability?

/ # npm list -g ansi-regex
/usr/local/lib
`-- npm@8.1.0
  +-- cli-columns@4.0.0
  | `-- strip-ansi@6.0.1
  |   `-- ansi-regex@5.0.1
  +-- cli-table3@0.6.0
  | `-- string-width@4.2.2
  |   `-- strip-ansi@6.0.0
  |     `-- ansi-regex@5.0.0
  +-- columnify@1.5.4
  | `-- strip-ansi@3.0.1
  |   `-- ansi-regex@2.1.1
  `-- npmlog@5.0.1
    `-- gauge@3.0.1
      `-- string-width@2.1.1
        `-- strip-ansi@4.0.0
          `-- ansi-regex@3.0.0

[William-Froelich]

I'm seeing what @f2404 is seeing too. Is there something I'm doing wrong when using the container?

Is this not the correct container to be using for the base in the dockerfile?
FROM node:16-alpine

[SimenB]

See #1574 (comment). This is npm, not the docker image. Report it to npm