Conversation
…cker Scout - Bump version to v3.0.1 - Manually unpack and overwrite npm's bundled picomatch@4.0.4 and brace-expansion@5.0.5 in the Docker builder image to clear CVE-2026-33671, CVE-2026-33672, and CVE-2026-33750.
There was a problem hiding this comment.
Pull request overview
Patch release to address Docker Scout-reported vulnerabilities in the Docker base image’s bundled npm dependencies, following the v3.0.0 release.
Changes:
- Added v3.0.1 release notes describing the vulnerability patches.
- Bumped project version to 3.0.1 in
package.jsonandpackage-lock.json. - Added Docker build steps to manually update npm-bundled
picomatchandbrace-expansion.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| releases/v3.0.1.md | Adds release notes for the v3.0.1 vulnerability patch. |
| package.json | Bumps package version to 3.0.1. |
| package-lock.json | Aligns lockfile version metadata with 3.0.1. |
| Dockerfile | Adds manual npm-bundled dependency patch steps for picomatch and brace-expansion. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Fix CVE-2026-33671, CVE-2026-33672: Manually update npm's bundled picomatch to 4.0.4 | ||
| RUN cd /usr/local/lib/node_modules/npm && \ | ||
| npm pack picomatch@4.0.4 && \ | ||
| rm -rf node_modules/picomatch && \ | ||
| tar -xzf picomatch-4.0.4.tgz && \ | ||
| mv package node_modules/picomatch && \ | ||
| rm picomatch-4.0.4.tgz | ||
|
|
||
| # Fix CVE-2026-33750: Manually update npm's bundled brace-expansion to 5.0.5 | ||
| RUN cd /usr/local/lib/node_modules/npm && \ | ||
| npm pack brace-expansion@5.0.5 && \ | ||
| rm -rf node_modules/brace-expansion && \ | ||
| tar -xzf brace-expansion-5.0.5.tgz && \ | ||
| mv package node_modules/brace-expansion && \ | ||
| rm brace-expansion-5.0.5.tgz |
There was a problem hiding this comment.
The new npm-bundled picomatch / brace-expansion patch steps are only applied in the builder stage. The final production image (second FROM node:24-alpine) still installs npm@latest but does not apply these two manual updates, so the published image may remain vulnerable / still flagged by Docker Scout. Mirror these two patch RUN steps in the production stage as well (near the other npm-bundled patch steps).
| { | ||
| "name": "@neverinfamous/postgres-mcp", | ||
| "version": "3.0.0", | ||
| "version": "3.0.1", |
There was a problem hiding this comment.
Version is bumped to 3.0.1 here, but there are still hardcoded 3.0.0 version strings elsewhere in release-related metadata (e.g., Dockerfile has LABEL version="3.0.0", and server.json reports version": "3.0.0" / docker identifier tag). For a patch release, these should be updated to 3.0.1 to avoid mismatched published artifacts and registry metadata.
v3.0.1 - Vulnerability Patch
This patch release addresses vulnerabilities detected by Docker Scout in the base image's bundled npm dependencies immediately following the v3.0.0 release.
Security
picomatch: Updated npm's bundledpicomatchdependency to4.0.4to resolve CVE-2026-33671 (Inefficient Regular Expression Complexity) and CVE-2026-33672 (Prototype Pollution).brace-expansion: Updated npm's bundledbrace-expansiondependency to5.0.5to resolve CVE-2026-33750 (Uncontrolled Resource Consumption).(Docker images for v3.0.0 were blocked from publishing; users should pull and use the
v3.0.1images.)