We have a node js application which is failing due to a trivy scan error due to CVE-2022-25881 from http-cache-semantics. We have gone through the package.json and couldn't find any dependency or transitive dependency which is referring to this library. Can someone please help us to point how could we address it?
"dependencies": {
"body-parser": "^1.20.1",
"express": "^4.18.2",
"mongodb": "^5.0.1",
"passport": "^0.6.0",
"passport-azure-ad": "^4.3.4"
}
dockerFile
FROM node:16.19-bullseye-slim
RUN mkdir -p /.npm
VOLUME /tmp
WORKDIR /app
COPY . /app/
# command to run when intantiate an image
CMD ["npm", "start", "--loglevel=verbose"]
This vulnerability comes from npm
update npm to the latest version in your docker should resolve this finding