fix(deps): bump ws to ~8.20.1 (CVE-2026-45736)#23
Merged
Conversation
Trivy on the cortex-axon-agent image flagged usr/local/snyk-broker/node_modules/ws at 8.18.3 — CVE-2026-45736, fixable in 8.20.1. Switching the existing scoped `engine.io-client.ws` override to a top-level `ws` override so both transitive instances (engine.io-client and engine.io) resolve to the patched version. `npm ls ws` confirms both resolutions are now 8.20.1; local `trivy fs` against this tree no longer reports CVE-2026-45736. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dougcpr
approved these changes
May 19, 2026
ashiramin
added a commit
to cortexapps/axon
that referenced
this pull request
May 19, 2026
cortexapps/snyk-broker#23 promoted the `engine.io-client.ws` scoped override to a top-level `ws` override so both engine.io and engine.io-client resolve to the patched 8.20.1. The tag v1.0.14-axon carries that change. Verified pre-merge by building a minimal node:20-slim image with the local package files: ws resolves to 8.20.1 in node_modules; trivy image scan no longer reports CVE-2026-45736. Combined with the APT_CACHE_BUST in the prior commit, this clears every finding from today's failing :main Trivy scan (11 OS packages + ws).
4 tasks
ashiramin
added a commit
to cortexapps/axon
that referenced
this pull request
May 21, 2026
…ns (#104) * Add APT_CACHE_BUST ARG so the apt layer can be refreshed without pinning When the scheduled Trivy scan flags OS-package CVEs on :main, the underlying cause is that buildx's layer cache for the apt RUN hashes only on the Dockerfile text — same text → same cached layer → `apt-get update` never re-fetches from the archive even though the RUN explicitly calls it. PRs #99 and #102 worked around this by pinning specific transitive packages (libngtcp2, libnghttp2). The pin invalidated the cache as a side effect of changing Dockerfile text, but locks the build to a single archive version that ages out. PR #99 deferred a cleaner fix; this is that fix. ARG APT_CACHE_BUST is declared right before the apt RUN and referenced inside it. Buildx folds the ARG value into the layer's cache key, so bumping the value (a one-line PR) invalidates only this layer — other layers (Go build, npm install, snyk-broker clone) keep hitting cache as before. Today's value (2026-05-19) also fixes today's failing :main scan: merging this PR is itself an ARG bump, so the apt layer rebuilds, fresh packages land, the next Trivy scan passes. * Bump SNYK_BROKER_VERSION to v1.0.14-axon for ws CVE-2026-45736 cortexapps/snyk-broker#23 promoted the `engine.io-client.ws` scoped override to a top-level `ws` override so both engine.io and engine.io-client resolve to the patched 8.20.1. The tag v1.0.14-axon carries that change. Verified pre-merge by building a minimal node:20-slim image with the local package files: ws resolves to 8.20.1 in node_modules; trivy image scan no longer reports CVE-2026-45736. Combined with the APT_CACHE_BUST in the prior commit, this clears every finding from today's failing :main Trivy scan (11 OS packages + ws). * Remove libngtcp2/libnghttp2 hard pins now that APT_CACHE_BUST is in place The pins were added in #99/#102 because the buildx cache was serving stale apt layers — explicit versions invalidated the cache as a side effect and guaranteed the patched packages landed. With APT_CACHE_BUST now driving cache invalidation explicitly, `apt-get upgrade -y` pulls the current patched versions transitively via wget → libcurl3-gnutls, no pin required. Keeping the pins past this point has a cost: they prevent apt from picking up future Debian point releases (e.g. a hypothetical libnghttp2 deb13u2 patch), and they break the build if the pinned version ages out of the archive. Now that the cache mechanism is the actual fix, the pins are redundant belt-on-belt. Validated by the trivy-pr scan on this PR — if removal regresses CVE-2026-40170 or CVE-2026-27135, trivy-pr will flag it before merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Trivy on the cortex-axon-agent image flagged
usr/local/snyk-broker/node_modules/ws@8.18.3for CVE-2026-45736, fixable inws@8.20.1. Surfaced during work on cortexapps/axon#104 — the underlying CVE was always present in this fork's published artifact; axon's:mainTrivy scan was missing it because it filters to CRITICAL/HIGH only, while the PR-side scan indocker.ymlflags any severity.What
Replace the existing scoped
engine.io-client.wsoverride with a top-levelwsoverride.npm ls wsbefore this change:After:
Top-level vs scoped: chose top-level so any future package that pulls ws transitively also lands on the patched version without another override edit.
Verification
npm ls ws→ both resolutions are8.20.1trivy fs --severity CRITICAL,HIGH,MEDIUM --ignore-unfixedagainst the post-install tree → CVE-2026-45736 no longer reportedFollow-up
After this merges and a new
v1.0.14-axontag (or whatever the next axon-tag cadence dictates) is cut, cortexapps/axon#104 will bumpSNYK_BROKER_VERSIONto consume it.🤖 Generated with Claude Code