Skip to content

chore: update snyk-docker-plugin to v9.6.5#6729

Open
d3vco wants to merge 1 commit intomainfrom
chore/update-snyk-docker-plugin-9.5.3
Open

chore: update snyk-docker-plugin to v9.6.5#6729
d3vco wants to merge 1 commit intomainfrom
chore/update-snyk-docker-plugin-9.5.3

Conversation

@d3vco
Copy link
Copy Markdown

@d3vco d3vco commented Apr 15, 2026

Pull Request Submission Checklist

What does this PR do?

This PR updates snyk-docker-plugin from 9.6.0 to 9.6.5. This brings in these changes:

Features:

  • improve Dockerfile attribution and base image exclusion
  • enable Kaniko archive

Bug Fixes:

  • prevent temp directory leak in node-modules-utils

Sub-dependency updates:

  • update snyk-nodejs-lockfile-parser

Where should the reviewer start?

Review the package.json and package-lock.json files.

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

  • Support for Kaniko Archives: A bug has been resolved enabling scanning container images built with Kaniko and saved as archives. This was previously advertised as supported (e.g. docs) but the bug prevented this in practice.
  • Improved Dockerfile Attribution: A fix in snyk-docker-plugin improves how vulnerabilities are attributed to Dockerfile instructions. By addressing a bug in how package names and their transitive dependencies are mapped, the CLI will more accurately differentiate between vulnerabilities introduced by the Dockerfile (e.g., via RUN apt-get install) versus those inherited from the base image. This fix also enables the --exclude-base-image-vulns flag in snyk container monitor. A change will be submitted to the CLI docs to reflect this.

Risk assessment

Low

What are the relevant tickets?

https://snyksec.atlassian.net/browse/CN-568
https://snyksec.atlassian.net/browse/CN-942

@d3vco
chore: update snyk-docker-plugin to v9.6.5
8e47fca 
Features:
- parse JVM release file
- improve Dockerfile attribution and base image exclusion
- enable Kaniko archive

Bug Fixes:
- prevent temp directory leak in node-modules-utils

Sub-dependency updates:
- update snyk-nodejs-lockfile-parser
@d3vco d3vco requested review from a team as code owners April 15, 2026 15:23
@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Apr 15, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot
Copy link
Copy Markdown

snyk-pr-review-bot bot commented Apr 15, 2026

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Runtime Dependency Regression 🔴 [critical]

Several core dependencies, including @octokit/rest, asynckit, combined-stream, and node-fetch, have been incorrectly marked with "dev": true. Since these are listed under dependencies in the root package.json, marking them as dev in the lockfile ensures they will be excluded during production installs (e.g., when building the CLI binary or Docker image). This will result in MODULE_NOT_FOUND errors at runtime. For example, @octokit/rest is used by the packages/cli-alert workspace.

 
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.0.3"
  }
},
"node_modules/@octokit/core": {
  "version": "3.5.1",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/auth-token": "^2.4.4",
    "@octokit/graphql": "^4.5.8",
    "@octokit/request": "^5.6.0",
    "@octokit/request-error": "^2.0.5",
    "@octokit/types": "^6.0.3",
    "before-after-hook": "^2.2.0",
    "universal-user-agent": "^6.0.0"
  }
},
"node_modules/@octokit/core/node_modules/@octokit/request-error": {
  "version": "2.1.0",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.0.3",
    "deprecation": "^2.0.0",
    "once": "^1.4.0"
  }
},
"node_modules/@octokit/core/node_modules/universal-user-agent": {
  "version": "6.0.0",
  "dev": true,
  "license": "ISC"
},
"node_modules/@octokit/endpoint": {
  "version": "6.0.12",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.0.3",
    "is-plain-object": "^5.0.0",
    "universal-user-agent": "^6.0.0"
  }
},
"node_modules/@octokit/endpoint/node_modules/universal-user-agent": {
  "version": "6.0.0",
  "dev": true,
  "license": "ISC"
},
"node_modules/@octokit/graphql": {
  "version": "4.6.4",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/request": "^5.6.0",
    "@octokit/types": "^6.0.3",
    "universal-user-agent": "^6.0.0"
  }
},
"node_modules/@octokit/graphql/node_modules/universal-user-agent": {
  "version": "6.0.0",
  "dev": true,
  "license": "ISC"
},
"node_modules/@octokit/openapi-types": {
  "version": "12.11.0",
  "dev": true,
  "license": "MIT"
},
"node_modules/@octokit/plugin-paginate-rest": {
  "version": "2.21.3",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.40.0"
  },
  "peerDependencies": {
    "@octokit/core": ">=2"
  }
},
"node_modules/@octokit/plugin-request-log": {
  "version": "1.0.4",
  "dev": true,
  "license": "MIT",
  "peerDependencies": {
    "@octokit/core": ">=3"
  }
},
"node_modules/@octokit/plugin-rest-endpoint-methods": {
  "version": "5.16.2",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.39.0",
    "deprecation": "^2.3.1"
  },
  "peerDependencies": {
    "@octokit/core": ">=3"
  }
},
"node_modules/@octokit/request": {
  "version": "5.6.1",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/endpoint": "^6.0.1",
    "@octokit/request-error": "^2.1.0",
    "@octokit/types": "^6.16.1",
    "is-plain-object": "^5.0.0",
    "node-fetch": "^2.6.1",
    "universal-user-agent": "^6.0.0"
  }
},
"node_modules/@octokit/request-error": {
  "version": "1.2.1",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^2.0.0",
    "deprecation": "^2.0.0",
    "once": "^1.4.0"
  }
},
"node_modules/@octokit/request-error/node_modules/@octokit/types": {
  "version": "2.16.2",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@types/node": ">= 8"
  }
},
"node_modules/@octokit/request/node_modules/@octokit/request-error": {
  "version": "2.1.0",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/types": "^6.0.3",
    "deprecation": "^2.0.0",
    "once": "^1.4.0"
  }
},
"node_modules/@octokit/request/node_modules/universal-user-agent": {
  "version": "6.0.0",
  "dev": true,
  "license": "ISC"
},
"node_modules/@octokit/rest": {
  "version": "18.12.0",
  "dev": true,
  "license": "MIT",
  "dependencies": {
    "@octokit/core": "^3.5.1",
    "@octokit/plugin-paginate-rest": "^2.16.8",
    "@octokit/plugin-request-log": "^1.0.4",
    "@octokit/plugin-rest-endpoint-methods": "^5.12.0"
  }
},
"node_modules/@octokit/types": {
  "version": "6.41.0",
  "dev": true,
Missing Dependencies 🟠 [major]

The package @pagerduty/pdjs and @slack/types have been removed from the lockfile. However, the in-file context for packages/cli-alert shows it still explicitly depends on @pagerduty/pdjs. Removing these from the lockfile while they are still referenced by workspace packages will cause installation failures or broken workspace builds.

 
"node_modules/@pkgjs/parseargs": {
📚 Repository Context Analyzed

This review considered 10 relevant code sections from 2 files (average relevance: 0.64)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d3vco