Skip to content

chore(security): docker CI fails on sigstore CVE-2026-48815 in npm's bundled dependency #61

Description

@adamdaw

Problem

The docker job in build.yml fails on every open PR (and master) at the Trivy scan step. Build, test-elicitation, and CodeQL all pass — only Trivy is red.

Trivy (severity: CRITICAL,HIGH, ignore-unfixed: true, exit-code: 1) reports exactly one finding:

Total: 1 (HIGH: 1, CRITICAL: 0)
sigstore  CVE-2026-48815  HIGH  fixed  3.1.0 -> 4.1.1
target: usr/lib/node_modules/npm/node_modules/sigstore/package.json

CVE-2026-48815 (GHSA-52v5-jr5w-gjxr, CWE-347): sigstore < 4.1.1 silently drops the certificateOIDs option in sigstore.verify(), so required certificate-extension OIDs are never enforced. Integrity-only.

Why it can't be patched via overrides

The flagged instance is inside npm's own bundle (/usr/lib/node_modules/npm/...), installed by NodeSource's Node 22 (npm 10.x bundles sigstore 3.1.0). This is the same situation as the existing picomatch .trivyignore entry — package.json overrides only reach our tool tree at /usr/local/lib/node_modules/, not npm's internal bundle. Upgrading npm is the documented dead end.

Reachability

Only exploitable by a caller invoking sigstore.verify() with a certificateOIDs constraint. The daedalus image builds PDFs; it never publishes npm packages nor verifies sigstore attestations at runtime, so the path is never exercised.

Remediation

Add a targeted .trivyignore entry for CVE-2026-48815 scoped to the npm-bundle path, mirroring the documented picomatch precedent, with a justification comment. Remove when NodeSource ships a Node.js whose bundled npm includes sigstore >= 4.1.1.

Note

Unblocks the 6 open Dependabot PRs (#55#60), which are red solely due to this shared job — not the dependency bumps themselves.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions