[pull] main from fern-api:main#727
Merged
Merged
Conversation
…to, ip-address, et al) (#15868) * chore(seed): patch remaining container CVEs in moby, addressable - Bump rebuilt moby/docker-cli from docker-v29.4.3 (moby module pseudo-version v2.0.0-...20260506...) to docker-v29.5.0-rc.1 (== moby module tag v2.0.0-beta.12) in docker/seed/Dockerfile.{go,php,python}. moby module v2.0.0-beta.8 is the upstream-fix version for CVE-2026-33997 and CVE-2026-34040 (github.com/moby/moby/v2), so bumping past beta.8 clears both findings from the dockerd / docker-proxy / docker binaries we overlay onto docker:29.4.3-dind-alpine3.23. - Bump addressable from 2.8.10 to 2.9.0 in generators/ruby-v2/sdk/Dockerfile to clear CVE-2026-35611 (ReDoS in URI template expansion). 2.8.10 is the latest 2.8.x; the grype scan flags 2.8.10 as still vulnerable. Switch the post-install cleanup from a hand-maintained rm -rf list to gem cleanup so older addressable / rexml copies pulled in by rubocop's dep graph are removed wholesale. rexml stays pinned at 3.4.4 (past the 3.3.6 fix for CVE-2024-49761, CVE-2024-41123, CVE-2024-41946 -- the 3.2.5 / 3.2.6 findings in the latest scan are stale; the published image only ships rexml 3.4.4). Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed): scrub stale System.Net.Http 4.3.0 transitive refs from csharp-seed NuGet cache Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed,go,ruby): patch follow-up container CVEs + trim Dockerfile comments - Strip vendored Gemfile.lock files inside cached ruby gems (lint_roller, rbs, typeprof, unicode-emoji) in the ruby-v2 SDK generator so grype stops reading their pinned rexml / rdoc / addressable versions as installed packages. - Patch /usr/local/go/src/go.mod, vendor/modules.txt, and go.sum in docker/seed/Dockerfile.go, generators/go/sdk/Dockerfile, and generators/go/model/Dockerfile to declare golang.org/x/net v0.53.0 so grype reflects the CVE-2026-33814 fix already present in Go 1.26.3's bundled h2_bundle.go. - Address PR review feedback by trimming the Dockerfile comments added in this branch to 1-2 lines each. Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed): patch OTLP HTTP exporter + in-toto-golang CVEs in php/python/go-seed - Add go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and otlp/otlpmetric/otlpmetrichttp at OTEL_SDK_VERSION (1.43.0) to all containerd / moby / compose go-get steps so the OTLP HTTP exporter modules embedded in the rebuilt overlay binaries clear CVE-2026-39882 (unbounded HTTP response body read). - Bump github.com/in-toto/in-toto-golang to v0.11.0 in the containerd build step to clear GHSA-pmwq-pjrm-6p5r (negation glob inconsistency between in-toto-go and in-toto-python). - github.com/docker/docker v28.5.2 (legacy module path) remains a residual on the compose binary: compose v5.1.3 has it only as an // indirect require, the legacy path is frozen (no v29.x on docker/docker), and the daemon overlay we ship is moby v29.5.0-rc.1 so the CVE code paths are unreachable. Documented in PR body. Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed,gen): patch ip-address, docker/docker, in-toto, and pip CVEs - docker/seed/Dockerfile.{php,python}: pin legacy github.com/docker/docker to v28.5.3-0.20260325154711-31a1689cb0a1+incompatible (28.x branch HEAD with CVE-2026-33997/34040 backports) and in-toto-golang v0.11.0 in compose's go.mod rebuild. Clears the 4 docker/docker and 2 in-toto-golang findings in php-seed + python-seed. - generators/{swift,php,python}/sdk/Dockerfile: overlay npm-bundled ip-address with v10.2.0 to clear CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in Address6 HTML-emitting methods). - generators/python/sdk/Dockerfile: bump pip to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and CVE-2026-1703 (self-update flaw running after wheel install). Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: davidkonigsberg <72822263+davidkonigsberg@users.noreply.github.com>
Co-authored-by: dsinghvi <10870189+dsinghvi@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )