Skip to content

chore: address security scanner false positives related to CVE-2023-2968 #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mcollina merged 2 commits into from
Nov 27, 2025
Merged

chore: address security scanner false positives related to CVE-2023-2968 #437

mcollina merged 2 commits into from
Nov 27, 2025

Conversation

@joeyorlando
Copy link
Contributor

@joeyorlando joeyorlando commented Nov 26, 2025
edited
Loading

Hi there! 👋

First off, great library, we use this over in archestra-ai/archestra.

Docker Scout security scans seem to pick-up v11.3.0 of this library as a false-positive for CVE-2023-2968:

Screenshot 2025-11-26 at 11 50 35 AM

(see "Package location" path under the first vulnerability in my screenshot).

I think by simply renaming the name of examples/reconnection/proxy/package.json that should address that?

Checklist

@joeyorlando
Address security scanner false positives related to CVE-2023-2968
9a096c8 
Signed-off-by: Joey Orlando <joey@archestra.ai>
Fdawgs
Fdawgs reviewed Nov 27, 2025
View reviewed changes
@Fdawgs Fdawgs requested a review from Copilot November 27, 2025 06:41
Copilot finished reviewing on behalf of Fdawgs November 27, 2025 06:42
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a false-positive security vulnerability (CVE-2023-2968) that Docker Scout security scanners detect when encountering a generic package name "proxy" in the examples directory. The change renames the package to a more specific name to avoid triggering security scanners.

  • Renamed the package name from "proxy" to "fastify-http-proxy-reconnection-proxy-example" to avoid false-positive CVE detection

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@Fdawgs
Update examples/reconnection/proxy/package.json
bd09d9f 
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
mcollina
mcollina approved these changes Nov 27, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina merged commit bbe97fb into fastify:main Nov 27, 2025
14 checks passed
@joeyorlando joeyorlando mentioned this pull request Nov 27, 2025
Merged
@joeyorlando
Copy link
Contributor Author

joeyorlando commented Nov 27, 2025

can confirm that this fixed that false-positive, thanks for merging @mcollina & @Fdawgs !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mcollina mcollina mcollina approved these changes

@Fdawgs Fdawgs Fdawgs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joeyorlando @mcollina @Fdawgs