Question regarding module vulnerabilities for modules included in the node.js dockerhub images

[Thomas Spear]

Hello,

Yesterday, I was working on building an internal fork of the node.js v14.21.2 docker image for my organization. This internal fork downloads the v14.21.2 node.js release tarball and yarn v1.22.19 release tarball. It does not install any third party modules which aren't already included by those 2 tarballs.

This is the same process which is taken to build the Dockerhub node.js image.

I understand this release is in maintenance mode and will not receive security updates after April 30 this year.

After completing the build, I scanned the image for vulnerabilities and received a report indicating that 3 of the modules included in the image are versions of the modules which have high severity vulnerabilities. These 3 modules all have patches which have been made available by their respective maintainers.

I wanted to reach out to ask if there is any process to request for a release of the patched modules in the dockerhub image, given that this version of node.js is still under maintenance support.

I was able to modify the build process for our internal fork to update the 3 modules to the patched versions, but (IMHO) it would be ideal since this release of node.js is still under maintenance support if these patches could be made available in the dockerhub image directly.

I appreciate any guidance anyone could offer on this.

Thank you for your time, and kind regards,

Thomas Spear