[BUG] Fix cve on new patch

[orlovds]

Environment

Self-Hosted (Docker)

System

No response

Version

3.1.1

Describe the problem

Good day
Is it possible to fix vulnerabilities in the new patch (attached report)?

Thank you in advance

Vulnerability_Report_Dashy.pdf

Additional info

Good day
Is it possible to fix vulnerabilities in the new patch (attached report)?

Thank you in advance

Please tick the boxes

• You have explained the issue clearly, and included all relevant info
• You are using a supported version of Dashy
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[CrazyWolf13]

Hi
Appreciate the time for the report!

I think you'll be best off sending an email to @Lissy93 [email protected]

Lately it has been a bit quiet around her and especially dashy.

PS: Therefore I wouldn't expect a quick fix.

[Lissy93]

Hi there @orlovds and @CrazyWolf13, thanks for raising this and including the Trivy scan output. I appreciate your attention to security.

Appologies for not being more present here recently. I'll work more on Dashy again over the next few weeks, and slowly catchup on issues.

---

Most of the issues flagged here are related to dependencies of dependencies or the base Alpine/Node image — not Dashy’s own code. This is common across most modern Dockerized Node apps. And none of the flagged vulnerabilities are known to be directly exploitable in Dashy’s current usage.

In short, these automated reports are a helpful reference but don’t necessarily imply exploitable vulnerabilities in context. Still, I’ll go through and address what’s actionable.

[CrazyWolf13]

Hi @Lissy93

Did not expect that reply, thanks for chiming back in :)

Yeah that's what I expected but thought I would let you judge on this.

Feel free to reply to me on matrix, if you want to pick up dashy again.

[orlovds]

@Lissy93 many thanks