Docker image grafana-image-renderer:3.7.2 and up still shows node pkg semver-7.3.7

[SadanandGowda]

Hi Team,
we were checking for vulnerabilities of grafana-image-renderer docker image version - 3.7.2 and up. The trivy and docker scout shows node package as 7.3.7 as opposed to the fix version 7.5.4 as updated in #440.

Steps to reproduce:
Install trivy/docker scout or any vulnerability tool.

trivy image grafana/grafana-image-renderer:3.8.0 or
trivy image grafana/grafana-image-renderer:3.7.2

Output:
semver (package.json) │ CVE-2022-25883 │ MEDIUM │ fixed │ 7.3.7 │ 7.5.2, 6.3.1, 5.7.2 │ Regular expression denial of service │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-25883

Please let us know if we are missing something from our end.

• Grafana Image Renderer version:3.7.2
• Grafana version:
• Installed plugin or remote renderer service:
• OS Grafana Image Renderer is installed on:
• User OS & Browser:
• Others:

[AgnesToulet]

Hi! This comes from the base image and Node 16. This will be fixed in 3.8.3 when we'll release the upgrade to Node 18.