From 19c59a2fb391b4f0a1bd8b2fca44cf714749304b Mon Sep 17 00:00:00 2001
From: docker-claude <user@docker-claude.local>
Date: Mon, 20 Apr 2026 15:14:58 +0200
Subject: [PATCH] fix(docker): upgrade npm to remediate 11 HIGH CVEs in bundled
 dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

All findings are in npm's own bundled packages (cross-spawn, glob,
minimatch, tar). Upgrading npm to latest pulls in the patched versions:
- cross-spawn ≥7.0.5 (CVE-2024-21538)
- glob ≥10.5.0 (CVE-2025-64756)
- minimatch ≥9.0.6 (CVE-2026-26996, CVE-2026-27903, CVE-2026-27904)
- tar ≥7.5.11 (CVE-2026-23745, CVE-2026-23950, CVE-2026-24842,
               CVE-2026-26960, CVE-2026-29786, CVE-2026-31802)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 claude/Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/claude/Dockerfile b/claude/Dockerfile
index 915f271..cd9cce4 100644
--- a/claude/Dockerfile
+++ b/claude/Dockerfile
@@ -1,5 +1,9 @@
 FROM node:20-alpine
 
+# Upgrade npm to pull in patched bundled deps (cross-spawn, glob, minimatch, tar)
+# CVEs: CVE-2024-21538, CVE-2025-64756, CVE-2026-26996/27903/27904, CVE-2026-23745/23950/24842/26960/29786/31802
+RUN npm install -g npm@latest
+
 # Install runtime dependencies
 RUN apk add --no-cache \
   git \