Skip to content

Update Alpine OpenSSL and brace-expansion to address CVEs #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
karpikpl merged 2 commits into from
Nov 22, 2025
Merged

Update Alpine OpenSSL and brace-expansion to address CVEs #280

karpikpl merged 2 commits into from
Nov 22, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 21, 2025
edited
Loading

Security scans identified vulnerable Alpine OpenSSL packages (libcrypto3, libssl3 @ 3.5.0-r0) and Node.js brace-expansion (1.1.12) requiring updates to patched versions.

Changes

Dockerfile

  • Updated base-prod stage from node:23-alpine to node:24-alpine
    • Upgrades Alpine 3.22.0 → 3.22.2
    • Resolves libcrypto3 and libssl3 to 3.5.4-r0

package.json

  • Added npm overrides to force brace-expansion@^2.0.2 across all transitive dependencies
  • Eliminates vulnerable 1.1.12 version inherited from eslint → minimatch chain

package-lock.json

  • Regenerated with overrides applied
  • All brace-expansion instances now resolve to 2.0.2

Technical Notes

Node.js 24 is the current LTS (vs 23 development branch) and ships with newer Alpine base containing patched OpenSSL. Using npm overrides allows immediate mitigation without waiting for upstream dependency updates.

Original prompt

This section details on the original issue you should resolve

<issue_title>Security Vulnerability: Outdated Alpine Dependencies</issue_title>
<issue_description>Our security scans have identified several vulnerable Alpine dependencies in the current version of the project. We would appreciate it if these could be updated to their fixed versions to remediate the security findings.

Vulnerable Dependencies:

  1. libcrypto3:
    Current Version:3.5.0-r0
    Expected Fixed Version:3.5.4-r0

  2. libssl3:
    Current Version:3.5.0-r0
    Expected Fixed Version:3.5.4-r0

  3. brace-expansion:
    Current Version:2.0.1
    Expected Fixed Version:2.0.2

We request that the project's dependencies be updated to the new versions listed above to resolve these security vulnerabilities. Please let us know if a new version with these fixes will be available.
</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Update alpine dependencies to fix security vulnerabilities Update Alpine OpenSSL and brace-expansion to address CVEs Nov 21, 2025
Copilot AI requested a review from karpikpl November 21, 2025 23:37
@karpikpl karpikpl marked this pull request as ready for review November 22, 2025 01:10
@karpikpl karpikpl merged commit 58bb2d2 into main Nov 22, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@karpikpl karpikpl karpikpl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@karpikpl karpikpl

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Vulnerability: Outdated Alpine Dependencies

2 participants

@karpikpl