Docker Image 'noble' v1.59 Contains 8 HIGH Severity Vulnerabilities in minimatch Library

A Trivy security scan of the official Docker image tagged 'noble' for version 1.59 has flagged eight HIGH-severity vulnerabilities, all stemming from a single outdated dependency. The scan results pinpoint the `minimatch` library within the container's `package.json` as the source, specifically version 10.2.2, which is affected by CVE-2026-27903. This vulnerability is a Denial of Service (DoS) flaw caused by unbounded resource consumption, leaving any container built from this image potentially exposed to disruption attacks.

The issue is documented in a public GitHub bug report, indicating the vulnerability status is marked as 'fixed' in upstream versions. The fixed versions listed are extensive, covering multiple major releases from 3.1.3 to 10.2.3, highlighting that a patch has been available and the risk is entirely due to running an unpatched version. The presence of multiple HIGH-severity findings from one core library suggests the base image or its build process failed to integrate these critical security updates before publication.

This discovery places immediate operational pressure on development and security teams using the 'noble:1.59' image in production or CI/CD pipelines. Organizations must treat running containers as actively vulnerable until they are rebuilt from a patched base. The incident underscores the persistent risk in container supply chains, where a single outdated transitive dependency can introduce significant security debt and require urgent remediation efforts to prevent potential service instability.