Base image is vulnerable to exploits

[PayalKhanna]

The base image Debian 13 slim contains many CVEs, e.g., CVE-2020-36632

Please update the base image.

[MikeMcC399]

@PayalKhanna

Can you check that you really mean cypress/base? The current latest is cypress/base:22.18.0 and it is based on Debian 12.11.

Possibly you mean instead

cypress/included:cypress-14.5.4-node-22.18.0-chrome-139.0.7258.127-1-ff-141.0.3-edge-139.0.3405.86-1

When scanning this image with trivy, for instance with

trivy image --ignore-unfixed --pkg-types library --scanners vuln --severity CRITICAL cypress/included:cypress-14.5.4-node-22.18.0-chrome-139.0.7258.127-1-ff-141.0.3-edge-139.0.3405.86-1

it does indeed report CVE-2020-36632.

This is an upstream issue with the Cypress app that is logged as cypress-io/cypress#27763 in the Cypress repo which cannot be resolved in the Cypress Docker repo.

For an explanation about how security issues are handled in the Cypress Docker repo, please refer to the SECURITY document.

[MikeMcC399]

@PayalKhanna

Please let us know if you have any comments, otherwise I plan to close this issue.

[ja6a-regnosys]

Correct - original title should have said Debian 12 and not 13. Thank you for the information regarding how security issues are handled

[MikeMcC399]

@ja6a-regnosys

Correct - original title should have said Debian 12 and not 13. Thank you for the information regarding how security issues are handled

• The original report was generally a little mixed up, as there is no npm package flat installed in cypress/base for instance. I just tried to interpret it in the spirit that it was submitted in.

• I've added an update to CVE-2020-36632 reported in Trivy scan for flat dependency cypress#27763 after confirming that the flat vulnerability is still reported in the cypress/included:latest Cypress Docker image based on Cypress 15.0.0 that was released yesterday, Aug 20, 2025. That will be up to the Cypress.io team to address and it depends on Update mocha in Cypress binary to minimum 8.2.0 cypress#30167 being addressed.