Version
v18.20.6
Platform
Linux 7c173fe85174 6.12.11-amd64 nodejs/node#1 SMP PREEMPT_DYNAMIC Debian 6.12.11-1 (2025-01-25) x86_64 GNU/Linux
Subsystem
npm
What steps will reproduce the bug?
docker run --rm -ti trivy image node:18 --scanners vuln --severity HIGH,CRITICAL --ignore-unfixed
How often does it reproduce? Is there a required condition?
Always reproducible
What is the expected behavior? Why is that the expected behavior?
No CVE found
What do you see instead?
Node.js (node-pkg)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH │ fixed │ 7.0.3 │ 7.0.5, 6.0.6 │ cross-spawn: regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │
└────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘
Additional information
Upgrading npm package to 10.9.1 will fix the vulnerability, see npm/cli@029060c
Was done for main and v20 with nodejs/node#56135
Version
v18.20.6
Platform
Subsystem
npm
What steps will reproduce the bug?
How often does it reproduce? Is there a required condition?
Always reproducible
What is the expected behavior? Why is that the expected behavior?
No CVE found
What do you see instead?
Additional information
Upgrading npm package to 10.9.1 will fix the vulnerability, see npm/cli@029060c
Was done for main and v20 with nodejs/node#56135