I’ve decided to use DevKinsta and Docker over a MAMP Pro install due to being a Kinsta customer and the ability to access my online sites and work with them offline seemed (I thought) a no brainer.
I’ve installed everthing and all is working well… but I happened to click on the images and found that devkinsta_nginx:1.3.5 has a load of vulnerabilites… So my questions are
I’m assuming I can’t patch those vulnerabilities myself?
If I can’t, should I just wait for a new update of the devkinsta_nginx image and others?
Is it safe to use, even when some of these vulnerabilities are marked as high (e.g If I just working on my Mac at home on my own wi-fi network, these vulnerabilities can’t allow someone from outside to access my computer)
I kind of wanted to use something like this so I can tinker around offline without breaking anything, but seeing all these vulnerabilities made me freak. Any reassurance would be greatly received.
Thank you for reaching out to us. We appreciate you bringing this to our attention.
I can certainly understand the concern discovering a software vulnerability can cause. We always strive to ship recent versions of software with DevKinsta. I have reviewed the devkinsta_nginx:1.3.5 container, and do see that it is running NGINX version 1.25.3 which is quite up to date. However, I do see it appears a couple of security reports has popped up regarding this version. I am going to be forwarding this information to our development team to see if we can get NGINX updated to a later version on a future update to this container.
I’ll also answer your questions in order:
You are correct that this isn’t something that can be patched directly. Upon an update or if the container is deleted our image would be redeployed with the version of software included.
This is up to you, however given the software is running within a Docker container and access is contained to your local system exposure of any vulnerability would be limited.
Given DevKinsta is designed to run locally on your system within a containerized environment exposure of any vulnerability is limited. Additionally, if you are not directly port forwarding, or opening any ports on your local Wi-Fi network that should further prevent access to devices from outside of your network.
Thank you again for reporting this! Our development team will review this matter further and ensure we release an updated version as soon as possible!
If you do have any further questions please don’t hesitate to reply!