Skip to content

revert: [NPM] [CVEs] Revert Manual NPM Linux Dockerfile Package Installations #3680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 23, 2025
Merged

revert: [NPM] [CVEs] Revert Manual NPM Linux Dockerfile Package Installations #3680

merged 1 commit into from
May 23, 2025

Conversation

@rayaisaiah
Copy link
Contributor

Reason for Change:
Reverts manual package installations made to the NPM Linux dockerfile in: #3439 and #3461. These changes were made as NPM base image (Ubuntu) did not have the updated packages installed which lead to CVEs on the base image. Ubuntu has since been patched to have the CVEs resolved so there is no need to manually install the packages at a specific version.

Trivy scan of NPM linux with changes to dockerfile:

acnpublic.azurecr.io/azure-npm:v1.5.49Test2 (ubuntu 20.04) ========================================================== Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:
Copilot AI review requested due to automatic review settings May 22, 2025 22:22
@rayaisaiah rayaisaiah added npm Related to NPM. linux labels May 22, 2025
@rayaisaiah rayaisaiah requested a review from a team as a code owner May 22, 2025 22:22
@rayaisaiah rayaisaiah requested a review from matmerr May 22, 2025 22:22
Copilot AI reviewed May 22, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reverts the manual package installations in the NPM Linux Dockerfile that were previously added to address CVEs in Ubuntu. The changes remove explicit version pinning for several packages since the base image now contains the necessary security updates.

  • Removed explicit version installation of libc-bin, libc6, libtasn1-6, and libgnutls30
  • Relies on the updated Ubuntu base image for security patches
@rayaisaiah
Copy link
Contributor Author

/azp run Azure Container Networking PR
@rayaisaiah
Copy link
Contributor Author

/azp run NPM Conformance Tests
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).
@rayaisaiah
Copy link
Contributor Author

/azp run NPM Scale Test
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).
1 similar comment
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).
@rayaisaiah rayaisaiah added this pull request to the merge queue May 23, 2025
Merged via the queue into master with commit 0a58111 May 23, 2025
36 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/npm-remove-hardcoded-package-installlations-master branch May 23, 2025 22:34
sivakami-projects pushed a commit that referenced this pull request Oct 23, 2025
@rayaisaiah
revert: [NPM] [CVEs] Revert Manual NPM Linux Dockerfile Package Insta…
d839d25 
…llations (#3680) removed manual package installations from npm dockerfile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

linux npm Related to NPM.

4 participants

@rayaisaiah @matmerr @vakalapa