fix(security): remediate Trivy HIGH CVEs in container image #3

jason.woltje · 2026-04-14T03:38:11Z

jason.woltje commented

2026-04-14 03:38:11 +00:00

Pipeline #6 failed at . Addressing all HIGH findings.

Changes

next 16.2.2 → 16.2.3 (GHSA-q4gf-8mx6-v5v3, RSC DoS)
pnpm overrides force minimatch≥10.2.3, picomatch≥4.0.4, tar≥7.5.11 (5 CVEs)
Dockerfile runner: pulls patched openssl 3.5.6-r0 and zlib 1.3.2-r0 (CVE-2026-28390, CVE-2026-22184)

Test plan

Trivy scan clean on HIGH/CRITICAL
Kaniko publishes sha- + latest
link-package returns 201/204/400

Pipeline #6 failed at . Addressing all HIGH findings. ## Changes - **next 16.2.2 → 16.2.3** (GHSA-q4gf-8mx6-v5v3, RSC DoS) - **pnpm overrides** force minimatch≥10.2.3, picomatch≥4.0.4, tar≥7.5.11 (5 CVEs) - **Dockerfile runner**: pulls patched openssl 3.5.6-r0 and zlib 1.3.2-r0 (CVE-2026-28390, CVE-2026-22184) ## Test plan - [ ] Trivy scan clean on HIGH/CRITICAL - [ ] Kaniko publishes sha-<short> + latest - [ ] link-package returns 201/204/400

jason.woltje added 1 commit 2026-04-14 03:38:12 +00:00

fix(security): remediate Trivy HIGH findings on main image

ci/woodpecker/pr/web Pipeline was successful

Details

ci/woodpecker/push/web Pipeline was successful

Details

0637992723

- Bump next 16.2.2 -> 16.2.3 (GHSA-q4gf-8mx6-v5v3 RSC DoS)
- pnpm overrides: minimatch>=10.2.3, picomatch>=4.0.4, tar>=7.5.11
  (CVE-2026-27903/27904, 33671, 29786, 31802)
- Dockerfile runner: apk upgrade --no-cache pulls patched openssl 3.5.6-r0
  and zlib 1.3.2-r0 before installing wget (CVE-2026-28390, 22184)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

jason.woltje merged commit 261c0019bb into main

2026-04-14 03:40:00 +00:00

jason.woltje referenced this issue from a commit

2026-04-14 03:40:01 +00:00

fix(security): remediate Trivy HIGH CVEs in container image (#3)

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: jason.woltje/professional-website#3