Conversation
* Fix BE major CVEs * Fix dockerfile image reference format issue * Clear up previous package fix * Update node image to fix CVEs * Update to resolve CVE-2026-24842 issue * Change way to update tar package for npm module
* Change to use node 22 * Restore to use node 25 * Add npm install * Fix GHSA-7h2j-956f-4vf2 issue * Update npm to the latest version
* Fix CVE-2026-26996 * Update dockerfile to add brace-expansion support * Fix dependency issue again * Fix minimatch version issue
There was a problem hiding this comment.
Pull request overview
This PR merges release 1.5.7 into main, primarily updating Node/Docker build setup and refreshing npm lockfile dependency versions (likely in response to security advisories).
Changes:
- Moves
nodemonfromdependenciestodevDependenciesinpackage.json. - Updates
Dockerfilebase image and adds steps to patch vulnerabilities in npm’s bundled dependencies. - Updates
package-lock.jsonwith newer versions for several dev tooling/transitive packages (e.g., vitest-related packages, rollup, esbuild, qs, semver).
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Adjusts dependency classification (nodemon) and modifies overrides. |
| package-lock.json | Refreshes locked transitive versions to newer patch releases. |
| Dockerfile | Switches Node base image and performs explicit patching of npm’s bundled deps before installing production deps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@vitest/coverage-v8": "^4.0.15", | ||
| "vitest": "^4.0.15" | ||
| "vitest": "^4.0.15", | ||
| "nodemon": "^3.1.11" |
There was a problem hiding this comment.
nodemon was moved to devDependencies, but scripts.start still runs nodemon app.js. In production installs (and any environment doing npm ci --omit=dev), npm start will fail because nodemon won’t be installed. Consider changing start to run node app.js and adding a separate dev script that uses nodemon.
| "overrides": { | ||
| "glob": "^11.1.0", | ||
| "tar": "^7.5.4" | ||
| "minimatch": "^3.1.2" | ||
| }, |
There was a problem hiding this comment.
The overrides section pins glob and minimatch, but glob doesn’t appear in package-lock.json at all, so that override currently has no effect. Also, the minimatch override is constrained to 3.x (^3.1.2), which won’t address issues affecting npm’s bundled minimatch 10.x (as referenced in the Dockerfile). Consider removing unused overrides and clarifying whether these are meant to remediate project deps vs npm’s bundled deps.
| @@ -1,63 +1,47 @@ | |||
| FROM node:24.13.0-alpine3.23 | |||
| FROM node:25.6.1-slim | |||
There was a problem hiding this comment.
The base image was changed to Node 25.6.1, but CI runs tests on Node 22.x (see .github/workflows/test.yml). This version mismatch can lead to “works in CI, breaks in prod” (and Node 25 is non‑LTS). Consider aligning the Docker base image with the CI/runtime Node version (or updating CI and/or declaring engines.node in package.json).
| FROM node:25.6.1-slim | |
| FROM node:22-slim |
| # Upgrade npm to latest version to address CVE-2026-0775 (npm 11.8.0 vulnerability) | ||
| RUN npm install -g npm@latest | ||
|
|
||
| # Update tar to 7.5.8 to fix CVE in npm's bundled tar (7.5.4) | ||
| RUN mkdir -p /tmp/tar-update && \ | ||
| cd /tmp/tar-update && \ | ||
| npm init -y && \ | ||
| npm install tar@7.5.8 --legacy-peer-deps && \ | ||
| rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \ | ||
| cp -r node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ && \ | ||
| rm -rf /tmp/tar-update | ||
|
|
||
| # Fix CVE GHSA-7h2j-956f-4vf2: Update @isaacs/brace-expansion from 5.0.0 to 5.0.1 in npm's node_modules | ||
| RUN mkdir -p /tmp/brace-expansion-update && \ | ||
| cd /tmp/brace-expansion-update && \ | ||
| npm init -y && \ | ||
| npm install @isaacs/brace-expansion@5.0.1 --legacy-peer-deps && \ | ||
| rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \ | ||
| cp -r node_modules/@isaacs/brace-expansion /usr/local/lib/node_modules/npm/node_modules/@isaacs/ && \ | ||
| rm -rf /tmp/brace-expansion-update | ||
|
|
||
| # Fix minimatch vulnerability: Update npm's bundled minimatch from 10.1.2 to 10.2.1 (and deps: brace-expansion, balanced-match) | ||
| RUN mkdir -p /tmp/minimatch-update && \ | ||
| cd /tmp/minimatch-update && \ | ||
| npm init -y && \ | ||
| npm install minimatch@10.2.1 --legacy-peer-deps && \ | ||
| rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \ | ||
| cp -r node_modules/minimatch /usr/local/lib/node_modules/npm/node_modules/ && \ | ||
| rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion && \ | ||
| cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \ | ||
| rm -rf /usr/local/lib/node_modules/npm/node_modules/balanced-match && \ | ||
| cp -r node_modules/balanced-match /usr/local/lib/node_modules/npm/node_modules/ && \ | ||
| rm -rf /tmp/minimatch-update | ||
|
|
There was a problem hiding this comment.
The Dockerfile is directly replacing packages inside npm’s own installation directory (e.g., /usr/local/lib/node_modules/npm/node_modules/...). This is brittle because npm’s internal dependency layout can change across npm releases (and you’re also installing npm@latest), which can silently reintroduce vulnerabilities or break npm behavior. Prefer selecting a base image/npm version that already includes the patched transitive deps, or pin npm to a known-good version and add a verification step (e.g., npm --version / checking the patched package versions) so the build fails if the expected paths/versions aren’t present.
| # Upgrade npm to latest version to address CVE-2026-0775 (npm 11.8.0 vulnerability) | |
| RUN npm install -g npm@latest | |
| # Update tar to 7.5.8 to fix CVE in npm's bundled tar (7.5.4) | |
| RUN mkdir -p /tmp/tar-update && \ | |
| cd /tmp/tar-update && \ | |
| npm init -y && \ | |
| npm install tar@7.5.8 --legacy-peer-deps && \ | |
| rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \ | |
| cp -r node_modules/tar /usr/local/lib/node_modules/npm/node_modules/ && \ | |
| rm -rf /tmp/tar-update | |
| # Fix CVE GHSA-7h2j-956f-4vf2: Update @isaacs/brace-expansion from 5.0.0 to 5.0.1 in npm's node_modules | |
| RUN mkdir -p /tmp/brace-expansion-update && \ | |
| cd /tmp/brace-expansion-update && \ | |
| npm init -y && \ | |
| npm install @isaacs/brace-expansion@5.0.1 --legacy-peer-deps && \ | |
| rm -rf /usr/local/lib/node_modules/npm/node_modules/@isaacs/brace-expansion && \ | |
| cp -r node_modules/@isaacs/brace-expansion /usr/local/lib/node_modules/npm/node_modules/@isaacs/ && \ | |
| rm -rf /tmp/brace-expansion-update | |
| # Fix minimatch vulnerability: Update npm's bundled minimatch from 10.1.2 to 10.2.1 (and deps: brace-expansion, balanced-match) | |
| RUN mkdir -p /tmp/minimatch-update && \ | |
| cd /tmp/minimatch-update && \ | |
| npm init -y && \ | |
| npm install minimatch@10.2.1 --legacy-peer-deps && \ | |
| rm -rf /usr/local/lib/node_modules/npm/node_modules/minimatch && \ | |
| cp -r node_modules/minimatch /usr/local/lib/node_modules/npm/node_modules/ && \ | |
| rm -rf /usr/local/lib/node_modules/npm/node_modules/brace-expansion && \ | |
| cp -r node_modules/brace-expansion /usr/local/lib/node_modules/npm/node_modules/ && \ | |
| rm -rf /usr/local/lib/node_modules/npm/node_modules/balanced-match && \ | |
| cp -r node_modules/balanced-match /usr/local/lib/node_modules/npm/node_modules/ && \ | |
| rm -rf /tmp/minimatch-update | |
| # Pin npm to a specific version that includes the required security fixes. | |
| # Avoid manually modifying npm's internal node_modules tree, which is brittle | |
| # and may break when npm's internal layout changes. | |
| RUN npm install -g npm@11.9.0 && npm --version |
No description provided.