Summary
Once the Node.js base image (node:25-bookworm-slim) ships an npm version that bundles picomatch >= 4.0.4, remove the .trivyignore entry for CVE-2026-33671.
How to verify
docker run --rm node:25-bookworm-slim npm ls picomatch --global
If no 4.0.3 appears in the output, it is safe to remove the entry and confirm with make scan.
Summary
Once the Node.js base image (
node:25-bookworm-slim) ships an npm version that bundlespicomatch >= 4.0.4, remove the.trivyignoreentry for CVE-2026-33671.How to verify
If no
4.0.3appears in the output, it is safe to remove the entry and confirm withmake scan.