From 3b8fc2594552b13e1d3cc18d6745d16d13afd32f Mon Sep 17 00:00:00 2001 From: David Konigsberg <72822263+davidkonigsberg@users.noreply.github.com> Date: Thu, 14 May 2026 06:17:42 -0400 Subject: [PATCH 1/8] chore(seed): patch CVEs in seed & generator images (moby, OTLP, in-toto, ip-address, et al) (#15868) * chore(seed): patch remaining container CVEs in moby, addressable - Bump rebuilt moby/docker-cli from docker-v29.4.3 (moby module pseudo-version v2.0.0-...20260506...) to docker-v29.5.0-rc.1 (== moby module tag v2.0.0-beta.12) in docker/seed/Dockerfile.{go,php,python}. moby module v2.0.0-beta.8 is the upstream-fix version for CVE-2026-33997 and CVE-2026-34040 (github.com/moby/moby/v2), so bumping past beta.8 clears both findings from the dockerd / docker-proxy / docker binaries we overlay onto docker:29.4.3-dind-alpine3.23. - Bump addressable from 2.8.10 to 2.9.0 in generators/ruby-v2/sdk/Dockerfile to clear CVE-2026-35611 (ReDoS in URI template expansion). 2.8.10 is the latest 2.8.x; the grype scan flags 2.8.10 as still vulnerable. Switch the post-install cleanup from a hand-maintained rm -rf list to gem cleanup so older addressable / rexml copies pulled in by rubocop's dep graph are removed wholesale. rexml stays pinned at 3.4.4 (past the 3.3.6 fix for CVE-2024-49761, CVE-2024-41123, CVE-2024-41946 -- the 3.2.5 / 3.2.6 findings in the latest scan are stale; the published image only ships rexml 3.4.4). Co-Authored-By: David Konigsberg * chore(seed): scrub stale System.Net.Http 4.3.0 transitive refs from csharp-seed NuGet cache Co-Authored-By: David Konigsberg * chore(seed,go,ruby): patch follow-up container CVEs + trim Dockerfile comments - Strip vendored Gemfile.lock files inside cached ruby gems (lint_roller, rbs, typeprof, unicode-emoji) in the ruby-v2 SDK generator so grype stops reading their pinned rexml / rdoc / addressable versions as installed packages. - Patch /usr/local/go/src/go.mod, vendor/modules.txt, and go.sum in docker/seed/Dockerfile.go, generators/go/sdk/Dockerfile, and generators/go/model/Dockerfile to declare golang.org/x/net v0.53.0 so grype reflects the CVE-2026-33814 fix already present in Go 1.26.3's bundled h2_bundle.go. - Address PR review feedback by trimming the Dockerfile comments added in this branch to 1-2 lines each. Co-Authored-By: David Konigsberg * chore(seed): patch OTLP HTTP exporter + in-toto-golang CVEs in php/python/go-seed - Add go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and otlp/otlpmetric/otlpmetrichttp at OTEL_SDK_VERSION (1.43.0) to all containerd / moby / compose go-get steps so the OTLP HTTP exporter modules embedded in the rebuilt overlay binaries clear CVE-2026-39882 (unbounded HTTP response body read). - Bump github.com/in-toto/in-toto-golang to v0.11.0 in the containerd build step to clear GHSA-pmwq-pjrm-6p5r (negation glob inconsistency between in-toto-go and in-toto-python). - github.com/docker/docker v28.5.2 (legacy module path) remains a residual on the compose binary: compose v5.1.3 has it only as an // indirect require, the legacy path is frozen (no v29.x on docker/docker), and the daemon overlay we ship is moby v29.5.0-rc.1 so the CVE code paths are unreachable. Documented in PR body. Co-Authored-By: David Konigsberg * chore(seed,gen): patch ip-address, docker/docker, in-toto, and pip CVEs - docker/seed/Dockerfile.{php,python}: pin legacy github.com/docker/docker to v28.5.3-0.20260325154711-31a1689cb0a1+incompatible (28.x branch HEAD with CVE-2026-33997/34040 backports) and in-toto-golang v0.11.0 in compose's go.mod rebuild. Clears the 4 docker/docker and 2 in-toto-golang findings in php-seed + python-seed. - generators/{swift,php,python}/sdk/Dockerfile: overlay npm-bundled ip-address with v10.2.0 to clear CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in Address6 HTML-emitting methods). - generators/python/sdk/Dockerfile: bump pip to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and CVE-2026-1703 (self-update flaw running after wheel install). Co-Authored-By: David Konigsberg --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- docker/seed/Dockerfile.csharp | 14 +++--- docker/seed/Dockerfile.go | 29 +++++++++--- docker/seed/Dockerfile.php | 45 ++++++++++++------- docker/seed/Dockerfile.python | 45 ++++++++++++------- generators/go/model/Dockerfile | 6 +++ generators/go/sdk/Dockerfile | 6 +++ .../cve-2026-33814-stdlib-sbom-patch.yml | 12 +++++ generators/php/sdk/Dockerfile | 14 ++++++ .../unreleased/cve-2026-42338-ip-address.yml | 9 ++++ generators/python/sdk/Dockerfile | 17 +++++++ ...cve-2026-42338-ip-address-and-pip-bump.yml | 13 ++++++ generators/ruby-v2/sdk/Dockerfile | 32 +++++-------- .../patch-addressable-cve-2026-35611.yml | 13 ++++++ generators/swift/sdk/Dockerfile | 14 ++++++ .../unreleased/cve-2026-42338-ip-address.yml | 9 ++++ 15 files changed, 208 insertions(+), 70 deletions(-) create mode 100644 generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml create mode 100644 generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml create mode 100644 generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml create mode 100644 generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml create mode 100644 generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml diff --git a/docker/seed/Dockerfile.csharp b/docker/seed/Dockerfile.csharp index 813c6d2a989f..4f671ef93464 100644 --- a/docker/seed/Dockerfile.csharp +++ b/docker/seed/Dockerfile.csharp @@ -119,12 +119,12 @@ RUN dotnet tool install -g csharpier --version "1.2.6" && \ ' > /dependencies.csproj && \ dotnet restore /dependencies.csproj && \ rm /dependencies.csproj && \ - # The /dependencies.csproj restore pulls System.Net.Http 4.3.0 back into - # the NuGet cache via transitive resolution metadata, even though - # System.Net.Http is pinned to [4.3.4,) for actual use. The cached 4.3.0 - # package contains the netstandard1.x reference assembly (CVE-2018-8292) - # and is only kept around for graph resolution -- safe to remove - # post-restore. - rm -rf /root/.nuget/packages/system.net.http/4.3.0 + # Drop System.Net.Http 4.3.0 (CVE-2018-8292): the cached package and any + # transitive deps.json referencing it (e.g. JmesPath.Net.Parser 1.1.0's + # netstandard1.3 build). Runtime only loads the newer-TFM builds. + rm -rf /root/.nuget/packages/system.net.http/4.3.0 && \ + find /root/.nuget/packages -name '*.deps.json' \ + -exec grep -l '"System.Net.Http/4.3.0"' {} + 2>/dev/null \ + | xargs -r dirname | sort -u | xargs -r rm -rf ENTRYPOINT ["tail", "-f", "/dev/null"] diff --git a/docker/seed/Dockerfile.go b/docker/seed/Dockerfile.go index f8f67492aafe..94a6955c39a3 100644 --- a/docker/seed/Dockerfile.go +++ b/docker/seed/Dockerfile.go @@ -16,20 +16,28 @@ RUN apk add --no-cache curl && \ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -45,14 +53,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -106,6 +115,12 @@ RUN set -eux; \ && tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GOARCH}.tar.gz" \ && rm "go${GO_VERSION}.linux-${GOARCH}.tar.gz" +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + ENV PATH="/usr/local/go/bin:${PATH}" \ GOPATH="/go" \ CGO_ENABLED=0 diff --git a/docker/seed/Dockerfile.php b/docker/seed/Dockerfile.php index f28eb5975090..071fade2eed6 100644 --- a/docker/seed/Dockerfile.php +++ b/docker/seed/Dockerfile.php @@ -16,21 +16,32 @@ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG COMPOSE_VERSION=5.1.3 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 +# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy +# github.com/docker/docker indirect dep is frozen at v28.5.2). +ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -46,14 +57,15 @@ cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -76,23 +88,22 @@ -tags "osusergo netgo static_build pkcs11" \ -trimpath -ldflags "-s -w" \ -o /overlay/usr/local/bin/docker ./cmd/docker -# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream -# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a -# residual since compose has not yet migrated to github.com/moby/moby/v2; -# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 / -# CVE-2026-33997 code paths are unreachable at runtime. +# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0 +# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the +# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the +# v5.1.3 upstream prebuilt vendors. RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \ git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \ cd /src/compose && \ - # Compose still vendors github.com/docker/docker v28.5.2+incompatible - # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net, - # otel/sdk, and docker/docker so the embedded SBOM matches the daemon - # version we overlay. go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ + github.com/docker/docker@${DOCKER_LEGACY_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ CGO_ENABLED=0 go build \ -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \ diff --git a/docker/seed/Dockerfile.python b/docker/seed/Dockerfile.python index c8080a791486..557890e98e36 100644 --- a/docker/seed/Dockerfile.python +++ b/docker/seed/Dockerfile.python @@ -16,21 +16,32 @@ RUN apk add --no-cache curl && \ FROM golang:1.26.3-alpine3.23 AS overlay-binaries ARG CONTAINERD_VERSION=2.3.0 ARG RUNC_VERSION=1.3.5 -ARG MOBY_VERSION=29.4.3 -ARG DOCKER_CLI_VERSION=29.4.3 +# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8 +# upstream fix for CVE-2026-33997 / CVE-2026-34040. +ARG MOBY_VERSION=29.5.0-rc.1 +ARG DOCKER_CLI_VERSION=29.5.0-rc.1 ARG COMPOSE_VERSION=5.1.3 ARG XNET_VERSION=0.53.0 ARG OTEL_SDK_VERSION=1.43.0 +ARG IN_TOTO_VERSION=0.11.0 +# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy +# github.com/docker/docker indirect dep is frozen at v28.5.2). +ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible ENV GOTOOLCHAIN=go1.26.3 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \ mkdir -p /overlay/usr/local/bin +# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP +# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882). RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \ cd /src/containerd && \ go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ for cmd in containerd ctr containerd-shim-runc-v2; do \ @@ -46,14 +57,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain cp runc /overlay/usr/local/bin/runc RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \ cd /src/moby && \ - # Force the patched golang.org/x/net (HTTP/2 server header smuggling, - # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking - # on BSD/Solaris) before vendoring + building dockerd/docker-proxy. + # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters + # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy. go get golang.org/x/net@v${XNET_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ go mod vendor && \ CGO_ENABLED=0 go build -mod=vendor \ @@ -76,23 +88,22 @@ RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docke -tags "osusergo netgo static_build pkcs11" \ -trimpath -ldflags "-s -w" \ -o /overlay/usr/local/bin/docker ./cmd/docker -# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream -# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a -# residual since compose has not yet migrated to github.com/moby/moby/v2; -# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 / -# CVE-2026-33997 code paths are unreachable at runtime. +# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0 +# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the +# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the +# v5.1.3 upstream prebuilt vendors. RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \ git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \ cd /src/compose && \ - # Compose still vendors github.com/docker/docker v28.5.2+incompatible - # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net, - # otel/sdk, and docker/docker so the embedded SBOM matches the daemon - # version we overlay. go get golang.org/x/net@v${XNET_VERSION} \ + github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \ + github.com/docker/docker@${DOCKER_LEGACY_VERSION} \ go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \ go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \ - go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \ + go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \ + go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \ go mod tidy && \ CGO_ENABLED=0 go build \ -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \ diff --git a/generators/go/model/Dockerfile b/generators/go/model/Dockerfile index 209024022f54..b46649fc0893 100644 --- a/generators/go/model/Dockerfile +++ b/generators/go/model/Dockerfile @@ -2,6 +2,12 @@ FROM node:24.15-alpine3.23 AS node FROM golang:1.26.3-alpine3.23 +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + ENV YARN_CACHE_FOLDER=/.yarn ARG SENTRY_DSN ARG SENTRY_ENVIRONMENT=production diff --git a/generators/go/sdk/Dockerfile b/generators/go/sdk/Dockerfile index e1908f216ba9..ea7e5a4e2798 100644 --- a/generators/go/sdk/Dockerfile +++ b/generators/go/sdk/Dockerfile @@ -42,6 +42,12 @@ FROM golang:1.26.3-alpine3.23 WORKDIR /workspace +# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod +# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code. +RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \ + /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \ + sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum + RUN apk update && apk upgrade --no-cache RUN apk add --no-cache ca-certificates git libstdc++ RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ diff --git a/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml b/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml new file mode 100644 index 000000000000..58377bdc1cd2 --- /dev/null +++ b/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml @@ -0,0 +1,12 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in + the go-sdk + go-model containers so they declare `golang.org/x/net + v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled + `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to + the top of `ForeachSetting`), but the stdlib SBOM still pins the + pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM + metadata to v0.53.0 makes grype reflect the patched code instead of + flagging the toolchain as vulnerable. + type: chore diff --git a/generators/php/sdk/Dockerfile b/generators/php/sdk/Dockerfile index 8dae3545a29c..7276bbca10f3 100644 --- a/generators/php/sdk/Dockerfile +++ b/generators/php/sdk/Dockerfile @@ -47,6 +47,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + RUN curl -fsSL https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/download/v3.94.2/php-cs-fixer.phar -o /usr/local/bin/php-cs-fixer \ && chmod +x /usr/local/bin/php-cs-fixer \ && php-cs-fixer --version diff --git a/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml new file mode 100644 index 000000000000..f246c02588ee --- /dev/null +++ b/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml @@ -0,0 +1,9 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore diff --git a/generators/python/sdk/Dockerfile b/generators/python/sdk/Dockerfile index bd9a61714714..0194bcfb0874 100644 --- a/generators/python/sdk/Dockerfile +++ b/generators/python/sdk/Dockerfile @@ -45,6 +45,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + # Install ruff. RUN pip install ruff==0.15.7 RUN ruff --version @@ -53,6 +67,9 @@ RUN ruff --version ENV PYTHONPATH=${PYTHONPATH}:${PWD} ENV _TYPER_STANDARD_TRACEBACK=1 +# Upgrade pip to 26.1+ to address CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, +# and CVE-2026-1703 (self-update flaw running after wheel install). +RUN pip3 install --upgrade pip==26.1 # Keep in sync with the poetry-core version in pyproject.toml RUN pip3 install poetry==1.8.5 RUN poetry config virtualenvs.create false diff --git a/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml b/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml new file mode 100644 index 000000000000..46d0b9795298 --- /dev/null +++ b/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the python-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. Also bumps the container-level + `pip` to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and + CVE-2026-1703 (self-update flaw running after wheel install). Poetry + stays at 1.8.5 because pyproject.toml's `virtualenvs.create=false` flow + requires `poetry-core ^1.9.0`. + type: chore diff --git a/generators/ruby-v2/sdk/Dockerfile b/generators/ruby-v2/sdk/Dockerfile index 26e60061d12b..2c9e8f84c06a 100644 --- a/generators/ruby-v2/sdk/Dockerfile +++ b/generators/ruby-v2/sdk/Dockerfile @@ -47,30 +47,18 @@ RUN apk --no-cache upgrade && \ rm -rf /usr/local/lib/ruby/gems/3.3.0/gems/erb-4.0.3 \ /usr/local/lib/ruby/gems/3.3.0/gems/net-imap-0.4.21 && \ gem install --no-document 'rubocop:~> 1.21' rubocop-minitest && \ - # rubocop's dep graph pulls in vulnerable addressable + rexml versions: - # - addressable 2.8.5 (CVE-2026-35611 ReDoS in template expansion; - # fixed in 2.8.10) - # - rexml 3.2.5 and 3.2.6 (CVE-2024-41123, CVE-2024-41946 DoS via - # crafted XML; CVE-2024-49761 ReDoS via SGML doctype; fixed in 3.3.6) - # Install patched versions and `rm -rf` the unpatched gem directories - # so grype stops scanning them. Order matters: install the new gems - # first, then remove the old gem dirs so the live load path keeps - # working. + # Install patched addressable 2.9.0 (CVE-2026-35611) + rexml 3.4.4 + # (CVE-2024-49761 / CVE-2024-41123 / CVE-2024-41946) and `gem cleanup` + # to drop the older sibling versions rubocop's deps drag in. Then strip + # vendored Gemfile.lock files from cached gems (lint_roller, rbs, + # unicode-emoji, typeprof) so grype stops reading their pinned rexml / + # rdoc / addressable versions as installed packages. gem install --no-document \ - addressable:2.8.10 \ + addressable:2.9.0 \ rexml:3.4.4 && \ - rm -rf /usr/local/bundle/gems/addressable-2.8.5 \ - /usr/local/bundle/gems/rexml-3.2.5 \ - /usr/local/bundle/gems/rexml-3.2.6 \ - /usr/local/lib/ruby/gems/3.3.0/gems/addressable-2.8.5 \ - /usr/local/lib/ruby/gems/3.3.0/gems/rexml-3.2.5 \ - /usr/local/lib/ruby/gems/3.3.0/gems/rexml-3.2.6 && \ - rm -f /usr/local/bundle/specifications/addressable-2.8.5.gemspec \ - /usr/local/bundle/specifications/rexml-3.2.5.gemspec \ - /usr/local/bundle/specifications/rexml-3.2.6.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/addressable-2.8.5.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/rexml-3.2.5.gemspec \ - /usr/local/lib/ruby/gems/3.3.0/specifications/rexml-3.2.6.gemspec && \ + gem cleanup addressable rexml && \ + find /usr/local/bundle/gems /usr/local/lib/ruby/gems \ + -name 'Gemfile.lock' -delete && \ apk del .build-deps # Patch npm's bundled vulnerable packages. Following the same pattern used in diff --git a/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml b/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml new file mode 100644 index 000000000000..71a6cfe4fff3 --- /dev/null +++ b/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Bump `addressable` from 2.8.10 to 2.9.0 in the ruby-v2 SDK generator + container to clear CVE-2026-35611 (ReDoS in URI template expansion). + Switch the post-install cleanup to `gem cleanup` so older 2.8.x copies + dragged in by rubocop's dependency graph are dropped from the final + image. `rexml` stays pinned at 3.4.4 (past the 3.3.6 CVE-2024-49761 + fix). Also strip the vendored `Gemfile.lock` files inside cached + gems (lint_roller, rbs, typeprof, unicode-emoji) so grype stops + reading their pinned rexml / rdoc / addressable versions as + installed packages. + type: chore diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile index 4e03898251bb..7bf2c99b9ef4 100644 --- a/generators/swift/sdk/Dockerfile +++ b/generators/swift/sdk/Dockerfile @@ -34,6 +34,20 @@ RUN for dir in \ fi; \ done +# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g +# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks. +RUN for dir in \ + /usr/local/lib/node_modules/npm/node_modules/ip-address; do \ + if [ -d "$dir" ]; then \ + rm -rf "$dir" && \ + cd "$(dirname "$dir")" && \ + curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \ + tar -xzf ip-address-10.2.0.tgz && \ + mv package ip-address && \ + rm ip-address-10.2.0.tgz; \ + fi; \ + done + ARG SENTRY_DSN ARG SENTRY_ENVIRONMENT=production ARG SENTRY_RELEASE diff --git a/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml new file mode 100644 index 000000000000..ff12eacd0b2e --- /dev/null +++ b/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml @@ -0,0 +1,9 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Patch the bundled `ip-address` to v10.2.0 in the swift-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore From 423e4574f8134562c62528c59957a5a990934f74 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 May 2026 10:21:51 +0000 Subject: [PATCH 2/8] chore(go): release 1.41.3 --- .../cve-2026-33814-stdlib-sbom-patch.yml | 0 generators/go/sdk/versions.yml | 14 ++++++++++++++ 2 files changed, 14 insertions(+) rename generators/go/sdk/changes/{unreleased => 1.41.3}/cve-2026-33814-stdlib-sbom-patch.yml (100%) diff --git a/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml b/generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml similarity index 100% rename from generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml rename to generators/go/sdk/changes/1.41.3/cve-2026-33814-stdlib-sbom-patch.yml diff --git a/generators/go/sdk/versions.yml b/generators/go/sdk/versions.yml index 058f20262d85..52bfa0734379 100644 --- a/generators/go/sdk/versions.yml +++ b/generators/go/sdk/versions.yml @@ -1,4 +1,18 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 1.41.3 + changelogEntry: + - summary: | + Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in + the go-sdk + go-model containers so they declare `golang.org/x/net + v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled + `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to + the top of `ForeachSetting`), but the stdlib SBOM still pins the + pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM + metadata to v0.53.0 makes grype reflect the patched code instead of + flagging the toolchain as vulnerable. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 1.41.2 changelogEntry: - summary: | From 7d8824909b9fa67a9dd320a15eec570a24947013 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 May 2026 10:22:01 +0000 Subject: [PATCH 3/8] chore(php): release 2.9.7 --- .../cve-2026-42338-ip-address.yml | 0 generators/php/sdk/versions.yml | 11 +++++++++++ 2 files changed, 11 insertions(+) rename generators/php/sdk/changes/{unreleased => 2.9.7}/cve-2026-42338-ip-address.yml (100%) diff --git a/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml similarity index 100% rename from generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml rename to generators/php/sdk/changes/2.9.7/cve-2026-42338-ip-address.yml diff --git a/generators/php/sdk/versions.yml b/generators/php/sdk/versions.yml index 4486b4e2b168..053c57e8c6cd 100644 --- a/generators/php/sdk/versions.yml +++ b/generators/php/sdk/versions.yml @@ -1,4 +1,15 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 2.9.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 2.9.6 changelogEntry: - summary: | From 5fd0163d922a6264ea524a0caa46399235e55631 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 May 2026 10:22:08 +0000 Subject: [PATCH 4/8] chore(python): release 5.12.7 --- .../cve-2026-42338-ip-address-and-pip-bump.yml | 0 generators/python/sdk/versions.yml | 15 +++++++++++++++ 2 files changed, 15 insertions(+) rename generators/python/sdk/changes/{unreleased => 5.12.7}/cve-2026-42338-ip-address-and-pip-bump.yml (100%) diff --git a/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml b/generators/python/sdk/changes/5.12.7/cve-2026-42338-ip-address-and-pip-bump.yml similarity index 100% rename from generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml rename to generators/python/sdk/changes/5.12.7/cve-2026-42338-ip-address-and-pip-bump.yml diff --git a/generators/python/sdk/versions.yml b/generators/python/sdk/versions.yml index d56e81234105..45bfa980e8be 100644 --- a/generators/python/sdk/versions.yml +++ b/generators/python/sdk/versions.yml @@ -1,4 +1,19 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 5.12.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the python-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. Also bumps the container-level + `pip` to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and + CVE-2026-1703 (self-update flaw running after wheel install). Poetry + stays at 1.8.5 because pyproject.toml's `virtualenvs.create=false` flow + requires `poetry-core ^1.9.0`. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 5.12.6 changelogEntry: - summary: | From e2e207a1cd1c121aceb2f76c2367cb6a17bdea9a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 May 2026 10:22:16 +0000 Subject: [PATCH 5/8] chore(ruby-v2): release 1.12.10 --- .../patch-addressable-cve-2026-35611.yml | 0 generators/ruby-v2/sdk/versions.yml | 15 +++++++++++++++ 2 files changed, 15 insertions(+) rename generators/ruby-v2/sdk/changes/{unreleased => 1.12.10}/patch-addressable-cve-2026-35611.yml (100%) diff --git a/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml b/generators/ruby-v2/sdk/changes/1.12.10/patch-addressable-cve-2026-35611.yml similarity index 100% rename from generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml rename to generators/ruby-v2/sdk/changes/1.12.10/patch-addressable-cve-2026-35611.yml diff --git a/generators/ruby-v2/sdk/versions.yml b/generators/ruby-v2/sdk/versions.yml index d884cd91c466..c20ad5eeb7b3 100644 --- a/generators/ruby-v2/sdk/versions.yml +++ b/generators/ruby-v2/sdk/versions.yml @@ -1,4 +1,19 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 1.12.10 + changelogEntry: + - summary: | + Bump `addressable` from 2.8.10 to 2.9.0 in the ruby-v2 SDK generator + container to clear CVE-2026-35611 (ReDoS in URI template expansion). + Switch the post-install cleanup to `gem cleanup` so older 2.8.x copies + dragged in by rubocop's dependency graph are dropped from the final + image. `rexml` stays pinned at 3.4.4 (past the 3.3.6 CVE-2024-49761 + fix). Also strip the vendored `Gemfile.lock` files inside cached + gems (lint_roller, rbs, typeprof, unicode-emoji) so grype stops + reading their pinned rexml / rdoc / addressable versions as + installed packages. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 1.12.9 changelogEntry: - summary: | From bcce5a5a19cb150bea5333f0aff810c10840cc4c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 14 May 2026 10:22:26 +0000 Subject: [PATCH 6/8] chore(swift): release 0.35.7 --- .../cve-2026-42338-ip-address.yml | 0 generators/swift/sdk/versions.yml | 11 +++++++++++ 2 files changed, 11 insertions(+) rename generators/swift/sdk/changes/{unreleased => 0.35.7}/cve-2026-42338-ip-address.yml (100%) diff --git a/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/swift/sdk/changes/0.35.7/cve-2026-42338-ip-address.yml similarity index 100% rename from generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml rename to generators/swift/sdk/changes/0.35.7/cve-2026-42338-ip-address.yml diff --git a/generators/swift/sdk/versions.yml b/generators/swift/sdk/versions.yml index 65745c07853f..b80215297c3c 100644 --- a/generators/swift/sdk/versions.yml +++ b/generators/swift/sdk/versions.yml @@ -1,4 +1,15 @@ # yaml-language-server: $schema=../../../fern-versions-yml.schema.json +- version: 0.35.7 + changelogEntry: + - summary: | + Patch the bundled `ip-address` to v10.2.0 in the swift-sdk container to + address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML- + emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles + `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0 + tarball in place at image build time. + type: chore + createdAt: "2026-05-14" + irVersion: 66 - version: 0.35.6 changelogEntry: - summary: | From cc9d9efa5fe0c38c6eeaa6d1c6c7ce02651467c2 Mon Sep 17 00:00:00 2001 From: Fern Support <126544928+fern-support@users.noreply.github.com> Date: Thu, 14 May 2026 06:40:51 -0400 Subject: [PATCH 7/8] chore(seed): update all seed snapshots (#15894) Co-authored-by: davidkonigsberg <72822263+davidkonigsberg@users.noreply.github.com> --- .../exhaustive/deps_with_min_python_version/poetry.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock b/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock index 16e681b4609d..c23a9eabca2b 100644 --- a/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock +++ b/seed/python-sdk/exhaustive/deps_with_min_python_version/poetry.lock @@ -1030,13 +1030,13 @@ orjson = ">=3.11.5" [[package]] name = "langsmith" -version = "0.8.3" +version = "0.8.4" description = "Client library to connect to the LangSmith Observability and Evaluation Platform." optional = false python-versions = ">=3.10" files = [ - {file = "langsmith-0.8.3-py3-none-any.whl", hash = "sha256:b2e40e308222fa0beb2dccee3b4b30bfee9062d7a4f20a3e3e93df3c51a08ab4"}, - {file = "langsmith-0.8.3.tar.gz", hash = "sha256:767ff7a8d136ed42926bf99059ac631dc6883542d6e3104b32e71c7625e1fa05"}, + {file = "langsmith-0.8.4-py3-none-any.whl", hash = "sha256:4e334ab223d10129c9943c461d95fa9089523638ea29cd048045a7f99b973f50"}, + {file = "langsmith-0.8.4.tar.gz", hash = "sha256:989b387f6ff92ec5f9d14c0edb333e2579590cad5a1ca07042d924b0ec43cd10"}, ] [package.dependencies] From 74659f763bcd5d17b470c54f7d1f0ef18dae153a Mon Sep 17 00:00:00 2001 From: Fern Support <126544928+fern-support@users.noreply.github.com> Date: Thu, 14 May 2026 06:59:35 -0400 Subject: [PATCH 8/8] chore(seed): update all seed snapshots (#15895) Co-authored-by: dsinghvi <10870189+dsinghvi@users.noreply.github.com>