This PR attempts to clean up a bunch of security scanner findings that have been accumulating; some were straightforward package bumps, others required digging into why the Docker image was producing false-looking hits.
Fixed
- CVE-2026-4800 (High) — Code injection via
_.templateimports key names: bumped lodash from 4.17.23 to 4.18.1 in/feand/listenarr.api/tools/discord-botlockfiles. - CVE-2026-2950 (Medium) — Prototype pollution via array path bypass in
_.unset/_.omit: resolved by the same lodash 4.18.1 bump. - CVE-2023-29403 / CVE-2022-30635 (High) — golang/stdlib 1.19.8 in the Debian-packaged
gosubinary: both Dockerfiles now buildgosufrom source in agolang:1.24-alpinemulti-stage stage, replacing the apt package entirely. - CVE-2026-23950 / CVE-2026-29786 / CVE-2026-31802 / CVE-2026-24842 / CVE-2026-23745 (High) — vulnerable
tarversions bundled inside the apt-shipped npm tree (/usr/lib/node_modules/npm/node_modules): both Dockerfiles now upgrade npm to latest immediately after installing Node.js and remove the stale apt npm tree. - CVE-2026-26996 (High) —
minimatch9.0.5 in the apt-shipped npm bundled packages: resolved by the same npm upgrade and cleanup. - CVE-2024-21538 (High) —
cross-spawn7.0.3 in the apt-shipped npm bundled packages: resolved by the same npm upgrade and cleanup.
Changed
DockerfileandDockerfile.runtime: added agolang:1.24-alpinebuilder stage to compile a staticgosubinary;gosuremoved fromapt-get install.DockerfileandDockerfile.runtime: after installing Node.js via NodeSource, runnpm install -g npm@latestthen remove/usr/lib/node_modules/npm,/usr/bin/npm, and/usr/bin/npxso the only npm in the image is the patched version in/usr/local.fe/package-lock.json: lodashnode_modules/lodashentry updated from 4.17.23 to 4.18.1.listenarr.api/tools/discord-bot/package-lock.json: lodash `node_modules/lodash...
Automated canary build