Goal
Remove the .trivyignore suppression for CVE-2026-12151 by updating npm to a release that bundles undici >= 6.27.0.
Background
undici is vendored inside npm (npm/node_modules/undici). CVE-2026-12151 (HIGH) is a WebSocket denial-of-service via unbounded memory growth, fixed in undici 6.27.0 / 7.28.0 / 8.5.0. As of this writing the latest npm (11.17.0) still bundles undici 6.26.0, so no version bump clears the finding. npm uses undici only for registry HTTP at build time — never WebSockets, never at runtime in this CI lint image — so the practical risk is negligible and the CVE is suppressed in the interim.
Scope
Outcome
The ci-tools image passes Trivy scans without a suppression for CVE-2026-12151.
Notes
The CVE monitor will continue to flag this until the follow-up completes, but the suppression keeps CI green in the interim.
Goal
Remove the
.trivyignoresuppression for CVE-2026-12151 by updating npm to a release that bundles undici >= 6.27.0.Background
undici is vendored inside npm (
npm/node_modules/undici). CVE-2026-12151 (HIGH) is a WebSocket denial-of-service via unbounded memory growth, fixed in undici 6.27.0 / 7.28.0 / 8.5.0. As of this writing the latest npm (11.17.0) still bundles undici 6.26.0, so no version bump clears the finding. npm uses undici only for registry HTTP at build time — never WebSockets, never at runtime in this CI lint image — so the practical risk is negligible and the CVE is suppressed in the interim.Scope
make resolve TOOLS=npmto pin the new versionimages/ci-tools/.trivyignore.yamlmake scanOutcome
The ci-tools image passes Trivy scans without a suppression for CVE-2026-12151.
Notes
The CVE monitor will continue to flag this until the follow-up completes, but the suppression keeps CI green in the interim.