chore(deps): update all non-major dependencies in docker-bake.hcl

[renovate]

This PR contains the following updates:

Package	Update	Change
ModSecurity2	patch	2.9.12 → 2.9.13
ModSecurity3	patch	3.0.14 → 3.0.15
nginxinc/nginx-unprivileged	minor	1.28.2 → 1.30.0

---

Release Notes

owasp-modsecurity/ModSecurity (ModSecurity2)

v2.9.13

Compare Source

Full list of changes:

• fix: heap buffer overflow in acmp pm
  [Issue #​3545 - @​fumfel,@​airween]
• fix: probably UB (left shift of neg. val) in ip_tree code
  [Issue #​3542 - @​fumfel,@​airween]
• feat(libinjection): add libinjection 4 final to v2
  [Issue #​3535 - @​airween]
• fix: cppcheck warnings
  [Issue #​3530 - @​airween]
• feat: add Lua 5.5 support when available
  [Issue #​3527 - @​fzipi,@​airween]
• refactor: remove NGINX support from v2 (#​3498)
  [Issue #​3502 - @​sanjib2006]
• fix: cppcheck warnings in nginx/
  [Issue #​3493 - @​umprayz]
• fix: cppcheck warnings in standalone/
  [Issue #​3488 - @​umprayz]
• v2: Accept requests whose body length is exactly equal to SecRequestBodyNoFilesLimit
  [Issue #​3480 - @​hnakamur]
• fix: yajl detection for source installations (#​3457)
  [Issue #​3458 - @​weida]
• feat: fix regression test, add a new CI workflow
  [Issue #​3456 - @​airween]
• Fix libxml2 related deprecated issues
  [Issue #​3454 - @​airween]
• Add CMake and CI Pipeline for ModSecurityIIS in ModSecurity V2
  [Issue #​3452 - @​A13501350]
• fix(iis): IPv6 Handling in ModSecurity IIS Module
  [Issue #​3443 - @​A13501350]
• fix: add event message resources to ModSecurityIIS.dll and resolve "Invalid function" errors (#​3408)
  [Issue #​3438 - @​A13501350]

nginx/docker-nginx-unprivileged (nginxinc/nginx-unprivileged)

v1.29.4

Compare Source

NGINX 1.29.4 (mainline)

v1.29.3

Compare Source

NGINX 1.29.3 (mainline)

v1.29.2

Compare Source

NGINX 1.29.2 (mainline)

v1.29.1

Compare Source

NGINX 1.29.1 (mainline)

v1.29.0

NGINX 1.29.0 (mainline)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

Summary by CodeRabbit

• Documentation

  • Updated nginx base image version reference in docs.

• Chores

  • Upgraded ModSecurity 3 to 3.0.15, ModSecurity 2 to 2.9.13, and nginx-unprivileged to 1.30.0.
  • Simplified ModSecurity source retrieval and removed a prior ModSecurity patch step from builds.

• Tests / CI

  • Updated test tooling version and adjusted an nginx-related regression expectation (response status changed 400 → 405).

[fzipi]

@copilot fix the build ci. ModSecurity v2 changed the libinjection build to use git submodules.

[Copilot]

@copilot fix the build ci. ModSecurity v2 changed the libinjection build to use git submodules.

Fixed in 6dbb1ef. Both apache/Dockerfile (Debian) and apache/Dockerfile-alpine (Alpine) now use git clone --branch "v${MODSEC2_VERSION}" --depth 1 --recursive instead of downloading the GitHub tarball, which ensures git submodules (including libinjection) are properly initialized during the build.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Swaps ModSecurity source retrieval from release archives to shallow git clones for Apache builds, removes an OWASP patch and related package install from the NGINX Alpine build, bumps default ModSecurity/nginx versions, and updates a CI workflow environment variable plus a test expectation override.

Changes

Builds: ModSecurity source and version bumps

Layer / File(s)	Summary
Version defaults docker-bake.hcl, README.md	Default versions updated: ModSecurity 3 3.0.14→3.0.15, ModSecurity 2 2.9.12→2.9.13, nginx 1.28.2→1.30.0. README variant reference updated.
Build dependencies apache/Dockerfile, apache/Dockerfile-alpine, nginx/Dockerfile-alpine	Adjusted build packages: removed wget (Debian), added git to Alpine build deps, removed patch from Nginx Alpine.
Source retrieval apache/Dockerfile, apache/Dockerfile-alpine	Replaced release archive download/extract with a shallow, recursive git clone of ModSecurity at v${MODSEC2_VERSION}; subsequent build steps remain.
Patch removal nginx/Dockerfile-alpine	Removed step that fetched and applied the OWASP ModSecurity patch (PR #3473) prior to building.
Build / Install steps apache/..., nginx/...	./autogen.sh, ./configure/${MODSEC2_FLAGS}, make install, and module compilation steps are unchanged and operate on cloned sources.

CI: verifyimage workflow change

Layer / File(s)	Summary
Workflow env .github/workflows/verifyimage.yml	Bumped GO_FTW_VERSION from 1.3.0 to 2.1.0.
Test expectation patch .github/workflows/verifyimage.yml, crs/tests/regression/nginx-overrides.yaml	Added a step that uses yq to patch crs/tests/regression/nginx-overrides.yaml, setting output.status to 405 for rule_id: 920100 with test_ids: [4] before running CRS tests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇
I nibbled at tags and hopped through the trees,
Swapped tar for git with a breeze on the breeze.
CI got a tweak, versions went higher—
Carrots for builds, and a rabbit's small choir.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references updating dependencies in docker-bake.hcl, but the changeset includes substantial modifications beyond that file: modifications to Apache and nginx Dockerfiles, workflow changes, and README updates unrelated to docker-bake.hcl.	Revise the title to reflect the full scope of changes, such as 'chore(deps): update dependencies and fix ModSecurity build methods' or split into multiple focused PRs.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/all-minor-patch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[fzipi]

@copilot Looks like patch https://patch-diff.githubusercontent.com/raw/owasp-modsecurity/ModSecurity/pull/3473.patch is already applied also, so remove.

[Copilot]

@copilot Looks like patch https://patch-diff.githubusercontent.com/raw/owasp-modsecurity/ModSecurity/pull/3473.patch is already applied also, so remove.

Done in 7ea4758. Removed the curl ... | patch -p1 line and the patch build dependency from nginx/Dockerfile-alpine.

[fzipi]

@copilot nginx tests are failing. This is probably due to nginx 1.30.0 changed the response to test 920100-4 to have a status code of 405. Patch the file crs/tests/regression/nginx-overrides.yaml in the @.github/workflows/verifyimage.yml workflow to check for 405 around line 8:

 test_overrides:
   - rule_id: 920100
     test_ids: [4]
     reason: "Nginx returns a 405 bad request"
     output:
       status: 405

[Copilot]

@copilot nginx tests are failing. This is probably due to nginx 1.30.0 changed the response to test 920100-4 to have a status code of 405. Patch the file crs/tests/regression/nginx-overrides.yaml in...

Done in 09a9b2c. Added a workflow step after the CRS checkout that uses Python to update the existing nginx-overrides.yaml entry for rule 920100 test 4 — changing the reason and expected status from 400 to 405.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/verifyimage.yml (1)

205-206: Scope this patch step to nginx targets.

This override is nginx-specific but currently runs for all matrix entries. Adding a target guard makes the workflow intent clearer and avoids unnecessary file mutation in apache jobs.

Suggested guard

       - name: Patch nginx overrides for nginx 1.30.0 (920100-4 now returns 405)
+        if: ${{ contains(matrix.target, 'nginx') }}
         run: |

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/verifyimage.yml around lines 205 - 206, The "Patch nginx
overrides for nginx 1.30.0 (920100-4 now returns 405)" step is running for all
matrix entries; restrict it to only nginx targets by adding a GitHub Actions
conditional to the step (e.g., add an if: condition such as if: matrix.target ==
'nginx' or if: contains(matrix.image, 'nginx') depending on your matrix keys) so
the file mutation only runs for nginx jobs.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/verifyimage.yml:
- Around line 207-215: The current fragile string replace in the Python snippet
should be replaced with a context-aware edit that locates the specific test by
rule_id/test_id and updates only its status, using a regex or structured match
(e.g., find the test block for the nginx override by its rule_id/test_id in
crs/tests/regression/nginx-overrides.yaml), perform the substitution with a
method that returns the number of replacements (e.g., re.subn), and assert that
exactly one replacement occurred; if not, print a clear error and exit non-zero
so CI fails rather than silently no-op.

---

Nitpick comments:
In @.github/workflows/verifyimage.yml:
- Around line 205-206: The "Patch nginx overrides for nginx 1.30.0 (920100-4 now
returns 405)" step is running for all matrix entries; restrict it to only nginx
targets by adding a GitHub Actions conditional to the step (e.g., add an if:
condition such as if: matrix.target == 'nginx' or if: contains(matrix.image,
'nginx') depending on your matrix keys) so the file mutation only runs for nginx
jobs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: b563152c-fdaf-482d-a5d2-29d67e8251f2

📥 Commits

Reviewing files that changed from the base of the PR and between 7ea4758 and 09a9b2c.

📒 Files selected for processing (1)

• .github/workflows/verifyimage.yml

[fzipi]

@copilot Well, my bad. I should have written this better. Remove that python stuff you added and just use a line like yq -i '(.test_overrides[] | select(.rule_id == 920100 and .test_ids == [4])).output.status = 405' crs/tests/regression/nginx-overrides.yaml.

[Copilot]

@copilot Well, my bad. I should have written this better. Remove that python stuff you added and just use a line like `yq -i '(.test_overrides[] | select(.rule_id == 920100 and .test_ids == [4])).outp...

Done in 10f9acd. Replaced the Python block with the yq one-liner you suggested.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[jankohlmann]

This is currently blocking renovate updates, especially Apache httpd 2.4.67 with fixes for CVE-2026-34059.

[fzipi]

Thanks @jankohlmann. You can even help fixing if you want.