[PR #4745] [CLOSED] [READONLY] Docker Scout alert and package upgrades #4744

Closed
opened 2026-02-22 18:36:26 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/4745
Author: @timothycarambat
Created: 12/9/2025
Status: Closed

Base: masterHead: docker-patches


📝 Commits (10+)

  • 5b4343a Resolution patches for
  • b3d8d5a Patch layers for CVEs
  • b17d2f8 fix typo
  • 8733fb9 patch cross spawn, body-parser, and tar-fs on server
  • 1b605bd Bump Major OS version to ubuntu 24
  • 935c53d patch Ubuntu 24 libs
  • a6c69a0 more patches. VEX execeptions to validate not in code path for known issues
  • 9981a5e replace bcrypt with bcryptjs
  • c42f198 new lockfile
  • 032b81b fix jws CVE

📊 Changes

12 files changed (+578 additions, -635 deletions)

View changed files

📝 .github/workflows/dev-build.yaml (+30 -30)
📝 collector/package.json (+5 -1)
📝 collector/yarn.lock (+92 -152)
📝 docker/Dockerfile (+15 -9)
docker/vex/CVE-2024-21538.vex.json (+22 -0)
📝 docker/vex/CVE-2024-29415.vex.json (+1 -1)
docker/vex/CVE-2024-37890.vex.json (+0 -22)
docker/vex/CVE-2025-12735.vex.json (+22 -0)
docker/vex/CVE-2025-13204.vex.json (+22 -0)
docker/vex/CVE-2025-64756.vex.json (+22 -0)
📝 server/package.json (+12 -5)
📝 server/yarn.lock (+335 -415)

📄 Description

Bumps Express to 4.20.x
Bumps MCP package to 1.24.x

Adds downstream resolutions for sub-deps that are not patched directly from core deps


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/4745 **Author:** [@timothycarambat](https://github.com/timothycarambat) **Created:** 12/9/2025 **Status:** ❌ Closed **Base:** `master` ← **Head:** `docker-patches` --- ### 📝 Commits (10+) - [`5b4343a`](https://github.com/Mintplex-Labs/anything-llm/commit/5b4343a5f417e66366a8c1daae1a9f9107b4bf33) Resolution patches for - [`b3d8d5a`](https://github.com/Mintplex-Labs/anything-llm/commit/b3d8d5ad5c499409622e0b8589b591ab42a4f521) Patch layers for CVEs - [`b17d2f8`](https://github.com/Mintplex-Labs/anything-llm/commit/b17d2f80002127b2a7dde155f50445ba8c01d8f4) fix typo - [`8733fb9`](https://github.com/Mintplex-Labs/anything-llm/commit/8733fb916afc9f0539260a4e28679917d9857657) patch cross spawn, body-parser, and tar-fs on server - [`1b605bd`](https://github.com/Mintplex-Labs/anything-llm/commit/1b605bd4a81dae632db56077436da3fd73e5931c) Bump Major OS version to ubuntu 24 - [`935c53d`](https://github.com/Mintplex-Labs/anything-llm/commit/935c53d3cd4fad1bf8071a20b2e735bfb3aecd30) patch Ubuntu 24 libs - [`a6c69a0`](https://github.com/Mintplex-Labs/anything-llm/commit/a6c69a073e57935527bfdbca1da568c5deb1808e) more patches. VEX execeptions to validate not in code path for known issues - [`9981a5e`](https://github.com/Mintplex-Labs/anything-llm/commit/9981a5e400e48997b9877efde8789293dd9c276c) replace bcrypt with bcryptjs - [`c42f198`](https://github.com/Mintplex-Labs/anything-llm/commit/c42f19887022f5b1749ed93cc2d91f9d999fe732) new lockfile - [`032b81b`](https://github.com/Mintplex-Labs/anything-llm/commit/032b81b561bd775acefcdbe3606b8c65040ad4b2) fix jws CVE ### 📊 Changes **12 files changed** (+578 additions, -635 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/dev-build.yaml` (+30 -30) 📝 `collector/package.json` (+5 -1) 📝 `collector/yarn.lock` (+92 -152) 📝 `docker/Dockerfile` (+15 -9) ➕ `docker/vex/CVE-2024-21538.vex.json` (+22 -0) 📝 `docker/vex/CVE-2024-29415.vex.json` (+1 -1) ➖ `docker/vex/CVE-2024-37890.vex.json` (+0 -22) ➕ `docker/vex/CVE-2025-12735.vex.json` (+22 -0) ➕ `docker/vex/CVE-2025-13204.vex.json` (+22 -0) ➕ `docker/vex/CVE-2025-64756.vex.json` (+22 -0) 📝 `server/package.json` (+12 -5) 📝 `server/yarn.lock` (+335 -415) </details> ### 📄 Description Bumps Express to `4.20.x` Bumps `MCP` package to `1.24.x` Adds downstream resolutions for sub-deps that are not patched directly from core deps --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:36:26 -05:00
yindo closed this issue 2026-02-22 18:36:27 -05:00
yindo changed title from [PR #4745] [READONLY] Docker Scout alert and package upgrades to [PR #4745] [CLOSED] [READONLY] Docker Scout alert and package upgrades 2026-06-05 15:20:09 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#4744