Skip to content

Fix build failing due to vulns found by Trivy#25

Merged
boite merged 2 commits intomasterfrom
fix-outdated-revealed-by-trivy
Mar 22, 2026
Merged

Fix build failing due to vulns found by Trivy#25
boite merged 2 commits intomasterfrom
fix-outdated-revealed-by-trivy

Conversation

@boite
Copy link
Collaborator

@boite boite commented Mar 22, 2026

There are two way to fix the build failures: stop using node 20 and install 22; and make the build update the transitive dependencies (hopefully this updates vulnerable deps to non-vulnerable ones). This PR does the latter because it is less disruptive to the consumers of these images.

  • chore: reduce scheduled build from daily to weekly on Thursdays
  • fix: update npm to resolve Trivy CVEs in bundled dependencies

boite and others added 2 commits March 22, 2026 10:13
@boite @claude
chore: reduce scheduled build from daily to weekly on Thursdays
85a499c 
Thursday chosen to avoid build failures needing attention on the
busiest days of the working week.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@boite @claude
fix: update npm to resolve Trivy CVEs in bundled dependencies
49a40b7 
Upgrades npm to latest after Node.js install to patch vulnerable
transitive dependencies (cross-spawn, glob, minimatch, tar).
Chose to update npm rather than upgrade to Node.js 22 to avoid
potential breaking changes for downstream consumers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@boite boite merged commit 567f8ff into master Mar 22, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@boite