Fix known vulnerabilities (scanner: trivy) #576
Description
Would it be possible to plan the fix of this vulnerabilities?
$ trivy repository https://github.com/docker/metadata-action.git
2025-12-15T13:19:58+01:00 INFO [vuln] Vulnerability scanning is enabled
2025-12-15T13:19:58+01:00 INFO [secret] Secret scanning is enabled
2025-12-15T13:19:58+01:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-12-15T13:19:58+01:00 INFO [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
Enumerating objects: 1085, done.
Counting objects: 100% (1085/1085), done.
Compressing objects: 100% (566/566), done.
Total 1085 (delta 746), reused 750 (delta 462), pack-reused 0 (from 0)
2025-12-15T13:20:09+01:00 INFO Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-12-15T13:20:09+01:00 INFO Number of language-specific files num=1
2025-12-15T13:20:09+01:00 INFO [yarn] Detecting vulnerabilities...
Report Summary
┌───────────┬──────┬─────────────────┬─────────┐
│ Target │ Type │ Vulnerabilities │ Secrets │
├───────────┼──────┼─────────────────┼─────────┤
│ yarn.lock │ yarn │ 9 │ - │
└───────────┴──────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)
yarn.lock (yarn)
Total: 9 (UNKNOWN: 0, LOW: 2, MEDIUM: 3, HIGH: 2, CRITICAL: 2)
┌────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request │ CVE-2025-25290 │ MEDIUM │ fixed │ 8.1.4 │ 9.2.1, 8.4.1 │ octokit/request: @octokit/request has a Regular Expression │
│ │ │ │ │ │ │ in fetchWrapper that Leads to ReDoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-25290 │
├────────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ @octokit/request-error │ CVE-2025-25289 │ │ │ 5.0.1 │ 5.1.1, 6.1.7 │ @octokit/request-error: @octokit/request-error has a Regular │
│ │ │ │ │ │ │ Expression in index that Leads to ReDoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-25289 │
├────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2025-5889 │ LOW │ │ 2.0.1 │ 2.0.2, 1.1.12, 3.0.1, 4.0.1 │ brace-expansion: juliangruber brace-expansion index.js │
│ │ │ │ │ │ │ expand redos │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-5889 │
├────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ form-data │ CVE-2025-7783 │ CRITICAL │ │ 3.0.1 │ 2.5.4, 3.0.4, 4.0.4 │ form-data: Unsafe random function in form-data │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-7783 │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 4.0.0 │ │ │
│ │ │ │ │ │ │ │
├────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ glob │ CVE-2025-64756 │ HIGH │ │ 10.3.15 │ 11.1.0, 10.5.0 │ glob: glob: Command Injection Vulnerability via Malicious │
│ │ │ │ │ │ │ Filenames │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-64756 │
│ │ │ │ ├───────────────────┤ │ │
│ │ │ │ │ 11.0.3 │ │ │
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ undici │ CVE-2025-22150 │ MEDIUM │ │ 5.28.4 │ 5.28.5, 6.21.1, 7.2.3 │ undici: Undici Uses Insufficiently Random Values │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-22150 │
│ ├────────────────┼──────────┤ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2025-47279 │ LOW │ │ │ 5.29.0, 6.21.2, 7.5.0 │ undici: Undici Memory Leak with Invalid Certificates │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2025-47279 │
└────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────┴──────────────────────────────────────────────────────────────┘