Skip to content

Security advisory: Trivy supply chain compromise (GHSA-69fq-xp46-6x23)#203

Merged
ALARGECOMPANY merged 5 commits intomainfrom
security/trivy-advisory
Mar 22, 2026
Merged

Security advisory: Trivy supply chain compromise (GHSA-69fq-xp46-6x23)#203
ALARGECOMPANY merged 5 commits intomainfrom
security/trivy-advisory

Conversation

@s-b-e-n-s-o-n
Copy link
Contributor

@s-b-e-n-s-o-n s-b-e-n-s-o-n commented Mar 22, 2026

Summary

  • Add /security/trivy-supply-chain-march-2026 advisory page with full incident writeup
  • Add dismissible announcement banner to website root layout
  • Add [!IMPORTANT] banner to top of README
  • Pin trivy=0.69.3-r1 in Dockerfile (was unpinned)
  • Pin aquasec/trivy:0.69.3 in QA compose (was :latest)
  • Patch fast-xml-parser 5.5.6 → 5.5.8 (CVE-2026-33349)
  • Align biome schema version with installed 2.4.8

Drydock is not affected. No compromised GitHub Actions used, no CI runs during the exposure window, bundled Trivy is v0.69.3 (safe). Pins added as defense-in-depth.

Community response posted in Discussion #197.

Test plan

  • Website builds clean (174 pages, 0 errors)
  • Advisory page renders with card background, badges, tables
  • Banner dismissible via localStorage
  • All lefthook gates pass (biome, qlty, build-and-test, e2e, clean-tree)
  • fast-xml-parser 5.5.6 fully removed from both lockfiles

🤖 Generated with Claude Code

@s-b-e-n-s-o-n
🔒 security(web): add Trivy supply chain advisory page and site banner
8c3305c 
- Add /security/trivy-supply-chain-march-2026 page with full writeup
  covering the GHSA-69fq-xp46-6x23 incident, exposure analysis, and
  user recommendations
- Add dismissible AnnouncementBanner component to root layout
- Add advisory page to sitemap
@s-b-e-n-s-o-n
🔒 security: pin Trivy versions and correct advisory
bb54daf 
- Pin trivy=0.69.3-r1 in Dockerfile (was unpinned)
- Pin aquasec/trivy:0.69.3 in QA compose (was :latest)
- Add correction note to advisory page for transparency
- Add timeline entry for post-publication hardening
@s-b-e-n-s-o-n
📝 docs: add Trivy advisory banner to README
a09ae47
@s-b-e-n-s-o-n
🔧 chore: align biome schema version with installed 2.4.8
f5814e6
@s-b-e-n-s-o-n
📦 deps: patch fast-xml-parser CVE-2026-33349
0bef865 
Update fast-xml-parser 5.5.6 → 5.5.8 in app and e2e lockfiles
to resolve GHSA-jp2q-39xq-3w4g (medium severity).
@vercel
Copy link

vercel bot commented Mar 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
drydock-demo Ready Ready Preview, Comment Mar 22, 2026 6:34pm
drydock-website Ready Ready Preview, Comment Mar 22, 2026 6:34pm

@ALARGECOMPANY ALARGECOMPANY merged commit bf3db1d into main Mar 22, 2026
16 checks passed
@ALARGECOMPANY ALARGECOMPANY deleted the security/trivy-advisory branch March 22, 2026 18:46
@codecov
Copy link

codecov bot commented Mar 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@biggest-littlest biggest-littlest biggest-littlest approved these changes

@ALARGECOMPANY ALARGECOMPANY ALARGECOMPANY approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@s-b-e-n-s-o-n @biggest-littlest @ALARGECOMPANY