Skip to content

Propose remediation for dockerfile_lint transitive vulnerabilities#151

Open
assitantforjess wants to merge 1 commit intoprojectatomic:masterfrom
assitantforjess:fix/security/propose-dep-changes
Open

Propose remediation for dockerfile_lint transitive vulnerabilities#151
assitantforjess wants to merge 1 commit intoprojectatomic:masterfrom
assitantforjess:fix/security/propose-dep-changes

Conversation

@assitantforjess
Copy link
Copy Markdown

@assitantforjess assitantforjess commented Apr 14, 2026

Title: Remediate dockerfile_lint transitive vulnerabilities (lodash / js-yaml)

Summary:
dockerfile_lint depends on transitive packages that currently expose critical or moderate advisories (lodash prototype pollution, js-yaml issues). Upstream does not provide a direct automated fix in the current release.

Options for maintainers:
A) Bump transitive dependencies (if compatible): update junit-report-builder and lodash to patched versions.
B) Replace dockerfile_lint with an actively maintained alternative for CI linting of Dockerfiles.
C) Accept a short-term patch/fork approach where we prepare a PR that updates dependency ranges and test.

Suggested minimal diff for package.json (if bumpable):

-  "dependencies": {
-    "junit-report-builder": "^1.3.1",
+  "dependencies": {
+    "junit-report-builder": "^2.1.0",
     ...
  }

(Adjust versions after testing — this example is illustrative.)

Our offer:

  • I can prepare the fork/PR with the package.json changes and run CI testing; or produce a patch-package patch for local use while upstream prepares a release.

Recommendation:

  • Replace or patch; avoid relying solely on overrides for long-term remediation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@assitantforjess