fix(security): Update vulnerable Node.js dependencies (cross-spawn, glob, tar) #179

New Issue

jason.woltje · 2026-02-01T23:55:08Z

jason.woltje commented

2026-02-01 23:55:08 +00:00

Summary

Trivy scan identified HIGH severity vulnerabilities in Node.js dependencies affecting both API and Web images.

Affected Packages

Package	Current	Fixed	CVEs
cross-spawn	7.0.3	7.0.5	CVE-2024-21538
glob	10.4.2, 10.4.5	10.5.0 or 11.1.0	CVE-2025-64756
tar	6.2.1, 7.5.1	7.5.7	CVE-2026-23745, CVE-2026-23950, CVE-2026-24842

Affected Images

mosaic/api
mosaic/web

Remediation

Run pnpm update cross-spawn glob tar in project root
If major version changes are needed, update package.json manually
Rebuild and push images
Verify vulnerabilities are resolved in Harbor

Priority

HIGH - These are production images with known vulnerabilities.

## Summary Trivy scan identified HIGH severity vulnerabilities in Node.js dependencies affecting both API and Web images. ## Affected Packages | Package | Current | Fixed | CVEs | |---------|---------|-------|------| | cross-spawn | 7.0.3 | 7.0.5 | CVE-2024-21538 | | glob | 10.4.2, 10.4.5 | 10.5.0 or 11.1.0 | CVE-2025-64756 | | tar | 6.2.1, 7.5.1 | 7.5.7 | CVE-2026-23745, CVE-2026-23950, CVE-2026-24842 | ## Affected Images - mosaic/api - mosaic/web ## Remediation 1. Run pnpm update cross-spawn glob tar in project root 2. If major version changes are needed, update package.json manually 3. Rebuild and push images 4. Verify vulnerabilities are resolved in Harbor ## Priority HIGH - These are production images with known vulnerabilities.

jason.woltje added the security label 2026-02-01 23:55:08 +00:00

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-01 23:57:13 +00:00

jason.woltje closed this issue

2026-02-02 02:54:52 +00:00

jason.woltje referenced this issue from a commit

2026-02-02 14:19:06 +00:00

fix(#179): Update vulnerable Node.js dependencies

Sign in to join this conversation.

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#179