Upgrade snyk-broker to v1.0.13-axon and bump Go to 1.26.3#101
Open
ashiramin wants to merge 2 commits into
Open
Upgrade snyk-broker to v1.0.13-axon and bump Go to 1.26.3#101ashiramin wants to merge 2 commits into
ashiramin wants to merge 2 commits into
Conversation
Picks up two upstream changes: - uuid bumped from 8.3.x to 14.0.0 to address GHSA-w5hq-g745-h8pq (missing buffer bounds check in v3/v5/v6 when buf is provided). Trivy was flagging this on the daily scan since the advisory was published. - TypeScript bumped from 4.9.3 to 5.6.0 (4.9 is past EOL; required for uuid 14's modern .d.ts syntax). Image rebuild side-effect: a fresh apt-get update && upgrade -y in the Dockerfile runtime stage will also refresh linux-libc-dev, addressing the 95 fixable CRITICAL/HIGH CVEs that are accumulating on the published :main image since the last build (April 22).
ashiramin
force-pushed
the
aa/snyk-broker-v1.0.12-axon
branch
from
30b09ed to
5d2075c
Compare
ashiramin
changed the title
Three image-level security fixes rolled into one PR. snyk-broker v1.0.11-axon → v1.0.13-axon picks up: - cortexapps/snyk-broker#20: uuid 8.3.x → 14.0.0 to address GHSA-w5hq-g745-h8pq (uuid: missing buffer bounds check in v3/v5/v6). TypeScript also bumped 4.9.3 → 5.6.0 (EOL). - cortexapps/snyk-broker#22: axios → ^1.16.0 to address 13 axios CVEs (CVE-2026-42033 through 42044 plus 42264). Go 1.26.2 → 1.26.3 addresses 8 stdlib CVEs flagged on the image: CVE-2026-33811, 33814, 39820, 39823, 39825, 39826, 39836, 42499. Bumped consistently in docker/Dockerfile (both stages), all go.mod files (agent, sdks, scaffold, examples), and .github/workflows/ci.yml. Rebuilding the image also runs apt-get update && upgrade -y, refreshing linux-libc-dev and clearing the linux-libc-dev CVE class that's been accumulating on the published :main image since the last build (April 22).
ashiramin
force-pushed
the
aa/snyk-broker-v1.0.12-axon
branch
from
5d2075c to
bc45c82
Compare
ashiramin
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three image-level security fixes rolled into one PR.
snyk-broker
v1.0.11-axon→v1.0.13-axonPicks up two upstream PRs:
CVE-2026-42033through42044plus42264).Go
1.26.2→1.26.3Addresses 8 stdlib CVEs flagged on the image:
CVE-2026-33811, 33814, 39820, 39823, 39825, 39826, 39836, 42499— all fixed in Go 1.26.3.Bumped consistently in
docker/Dockerfile(both stages), allgo.modfiles (agent, sdks, scaffold, examples), and.github/workflows/ci.yml.Image rebuild side-effect
Rebuilding also runs
apt-get update && upgrade -yin the runtime stage, refreshinglinux-libc-devand clearing the linux-libc-dev CVE class accumulating on:mainsince the last build (April 22).Test plan
trivy-prjob clears uuid + axios + linux-libc-dev + Go stdlib findings.:mainreports 0 fixable HIGH/CRITICAL CVEs.🤖 Generated with Claude Code