Please update yarn to at least 1.22.0 (CVE-2020-8131)

[sseide]

Current version of yarn used on all (?) images has a vulnerablilty which may be exploited depending on how your images are used or what software is installed on top of it.

https://nvd.nist.gov/vuln/detail/CVE-2020-8131 - Rating of 7.5 (HIGH)

Please update all images to the bugfixed version as some automated security scanners start to pick up this vulnerability in docker images (e.g. Anchore).

I have looked if there is a helper script to update all instances easily without missing on but there seems nothing like it. is there another preferred way or search-replace? I can create a PR than.

Thanks

[SimenB]

Node 10 is on 1.21.1, 12 is on 1.22.0 and 13 is on 1.22.4. We should probably update 10, then. /cc @nodejs/docker

To update, just run the update.sh script. Since only node 10 is vulnerable, running ./update.sh 10 should be enough

[nschonni]

Next release for 10 is anticipated on April 7th nodejs/Release#553 (comment)

[sseide]

Thanks to all.

[PeterDaveHello]

#1241 merged! Just wait to be deployed on Docker hub, thanks for the notification, I'll close this issue first, feel free to reopen it if there is still an issue.

Please note that there will be a delay between the PR merging and being built and deployed on Docker Hub, please follow #1241 and its auto PR to the official Docker Hub image repository for more details.