bump mongo to 6.0.27 for CVE-2025-14847

[marcos-f7z]

GHSA-4742-mr57-2r9j

Greptile Summary

This PR bumps the local development MongoDB Docker image from the floating tag mongo:6.0 to the pinned version mongo:6.0.27 to address CVE-2025-14847 / GHSA-4742-mr57-2r9j. The change is scoped to agentex/docker-compose.yml (local dev environment only).

• Pins agentex-mongodb service image from mongo:6.0 → mongo:6.0.27, patching the referenced CVE
• As a side effect, this also improves build reproducibility by removing the floating minor-patch tag, consistent with how other services in the same compose file are pinned (e.g. redis:7.4.0-alpine, temporalio/auto-setup:1.25.0)
• Note: if MongoDB is also used in staging/production infrastructure (outside this repo), those deployments should be verified separately to ensure the CVE is addressed there as well

Confidence Score: 5/5

Safe to merge — minimal, targeted security patch with no functional risk.

Single-line change pinning MongoDB from a floating tag to a specific patched version. The major/minor line (6.0) is unchanged so there are no compatibility concerns, and pinning improves build reproducibility. No logic, configuration, or API surface is affected.

No files require special attention.

Important Files Changed

Filename	Overview
agentex/docker-compose.yml	Single-line security bump: mongo:6.0 → mongo:6.0.27 to address CVE-2025-14847. Change is correct, minimal, and consistent with other pinned service versions in the file.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["docker-compose.yml\nagentex-mongodb service"] --> B["Before: mongo:6.0\n(floating tag)"]
    A --> C["After: mongo:6.0.27\n(pinned tag — CVE-2025-14847 fix)"]
    B --> D["⚠️ Resolves to latest 6.0.x\nMay include vulnerable builds"]
    C --> E["✅ Pinned to patched build\nReproducible & secure"]

Loading

_{Reviews (1): Last reviewed commit: "Merge branch 'main' into mongo-vuln-upgr..." | Re-trigger Greptile}