I have visiting https://hub.docker.com/r/library/kong/tags/ today to lookup an upgrade, but I saw “This image has vulnerabilities” tip for every newer version. Can anyone have a look?
The components flagged by Docker are from the upstream CentOS/Alpine repositories. We (and all other Docker image authors who use CentOS/Alpine bases) rely on the authors of those images and distribution package maintainers to correct those vulnerabilities. Docker Hub rebuilds images dependent on those base images when they receive updates for the bases.
We handle issues in the components we produce, i.e. the Kong code itself.