fix new vulns

anthony-nhs · anthony-nhs · commit 715e5cab4c47 · 2026-03-11T13:27:17.000Z
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -1,6 +1,6 @@
 shellcheck 0.11.0
 direnv 2.37.1
-actionlint 1.7.10
+actionlint 1.7.11
 ruby 3.3.0
 trivy 0.69.3
-yq 4.52.2
+yq 4.52.4
diff --git a/src/base_node/node_24/.devcontainer/.tool-versions b/src/base_node/node_24/.devcontainer/.tool-versions
@@ -1 +1 @@
-nodejs 24.13.0
+nodejs 24.14.0
diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
@@ -360,3 +360,30 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-09-09
+  - id: CVE-2026-25679
+    statement: "url.Parse insufficiently validated the host/authority component and ac ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27142
+    statement: "Actions which insert URLs into the content attribute of HTML meta tags ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27137
+    statement: "When verifying a certificate chain which contains a certificate contai ..."
+    purls:
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml
@@ -63,3 +63,33 @@ vulnerabilities:
     purls:
       - "pkg:npm/tar@7.5.1"
     expired_at: 2026-09-09
+  - id: CVE-2026-26996
+    statement: "minimatch: minimatch: Denial of Service via specially crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27903
+    statement: "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27904
+    statement: "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-26960
+    statement: "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-29786
+    statement: "node-tar: hardlink path traversal via drive-relative linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-31802
+    statement: "node-tar Symlink Path Traversal via Drive-Relative Linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
