Add .trivyignore for npm-bundled CVEs pending upstream fix#73
Merged
Conversation
CVE-2026-27903, CVE-2026-27904 (minimatch) and CVE-2026-29786 (tar) are present in packages bundled inside npm itself, not in our application dependencies. They cannot be resolved by updating package.json — a fix requires a new npm release. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
codedmart
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Trivy image scans are flagging three CVEs that exist inside npm's own bundled dependencies, not in our application code. Because they live within npm itself, we cannot resolve them by updating our
package.json— a fix requires a new npm release that ships patched internal versions ofminimatchandtar.This PR adds a
.trivyignoreto suppress these findings until that upstream fix is available.Suppressed CVEs
minimatch(bundled in npm)minimatch(bundled in npm)tar(bundled in npm)Why we can't fix these now
These packages are shipped as internal dependencies of npm itself (under
/usr/lib/node_modules/npm/node_modules/). Upgrading them requires npm to cut a new release with patched versions. There is no action we can take in this repository to resolve them sooner.Follow-up
Once a fixed npm version is available and deployed in the base image, the ignore entries should be removed. See the TODO comment in
.trivyignore.🤖 Generated with Claude Code