mnfst/manifest manifest@5.49.2
manifest v5.49.2

on GitHub

latest release: manifest@5.49.3

2 hours ago

🐛 Patch Changes

fec55cf: Bump Docker runtime to gcr.io/distroless/nodejs22-debian13:nonroot to clear 9 CVEs (1 CRITICAL / 8 HIGH) that the published image inherited from the older nodejs22-debian12 base.
Root cause: Google hasn't rebuilt any tag on gcr.io/distroless/nodejs22-debian12 since Node 22.22.2 and Debian 12's openssl 3.0.19-1~deb12u2 shipped. Every debian12 variant still bakes Node 22.22.0 on top of the vulnerable openssl 3.0.18-1~deb12u2, so a digest refresh alone couldn't clear the scan. The nodejs22-debian13 family already publishes Node v22.22.2 on a newer openssl, so moving the runtime stage to it fixes both CVE sources in a single base-image bump.
The move is safe: the prod-deps stage runs npm ci --ignore-scripts, so no native modules are compiled and the runtime's glibc version is invisible to node_modules. node:22-alpine and node:22-slim digest pins were also refreshed for hygiene — those layers don't ship in the final image.
CVEs cleared:
- CVE-2025-55130 (CRITICAL, CVSS 9.1) — Node
- CVE-2025-55131, CVE-2025-59465, CVE-2025-59466, CVE-2026-21637, CVE-2026-21710 (HIGH) — Node
- CVE-2026-28388, CVE-2026-28389, CVE-2026-28390 (HIGH) — Debian openssl
Verification: Local Trivy scan (--severity HIGH,CRITICAL --ignore-unfixed) reports 0 findings post-bump (was 9). docker compose up -d passes the healthcheck in ~14s and /api/v1/health returns {"status":"healthy"}.

Check out latest releases or
releases around mnfst/manifest manifest@5.49.2

Don't miss a new manifest release

NewReleases is sending notifications on new releases.

Get notifications