Node16 Externals Version needs upgrade [CVE-2022-35255]
See original GitHub issueDescribe the bug Security scanning of the default installation method results in CVE-2022-35255 being tripped based on the current version of Node JS 16 set in externals.
To Reproduce Steps to reproduce the behavior:
- Take latest installation from releases including runtimes and externals. Example: actions-runner-linux-x64-2.307.1.tar.gz
- Uncompress
- Run security scan (e.g. Wiz)
Expected behavior Clean security report
Runner Version and Platform
v2.307.1
OS of the machine running the runner? Linux
What’s not working?
File /home/runner/runner/agent/externals/node16/bin/node version 16.16.0 is vulnerable to CVE-2022-35255, which exists in versions >= 16.13.0, < 16.17.1.
The vulnerability was found in the [National Vulnerability Database (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2022-35255) based on the CPE cpe:2.3:a:nodejs:node.js with NVD severity: Critical.
The file is associated with the technology Node.js.
The vulnerability can be remediated by updating Node.js to 16.17.1 or higher.
Issue Analytics
- State:
- Created 2 months ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Node 16 Upgrade - Open edX Community
Add the matrix with Node versions 12, 14 and 16. Sets NPM version 8.x.x. Upgrade node and npm version in Dockerfile as well...
Read more >Functions and Assets Node.js v16 upgrade
Node.js versions are constantly updating. Learn how to make sure you're using the latest and best runtime for your Serverless Twilio applications.
Read more >ENEEDAUTH on upgrade to node 16 and accessing ...
I have upgraded to Node 16 and updated mu npmrc file to access the private artifactroy of my firm. In old version i.e...
Read more >Upgrading AWS Lambda to Node@18 - Ikechi Michael
Upgrade your local NodeJS runtime to version 18 either by directly downloading from nodejs.org, or using nvm . · Run npm install to...
Read more >Update the Node.js agent
Remain on New Relic Node.js v8 agent without the ability to use new features only available with update agent versions. Tip. Upgrade to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@Lazyshot Thanks for this, we’re actively working on deprecating Node12, upgrading Node16 and introducing Node20.
Thanks for the updates. Could you please confirm whether its going to update the node modules under summerwind/actions-runner:latest image as well .