Merge branch 'main' into jekyll-3.4

Author: sireeshajonnalagadda

src/anaconda/.devcontainer/apply_security_patches.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 
 # vulnerabilities:
-# werkzeug - [GHSA-f9vj-2wh5-fj8j]
+# werkzeug - [GHSA-f9vj-2wh5-fj8j] 
 
-vulnerable_packages=( "mistune=3.0.1" "transformers=4.49.0" "cryptography=43.0.3" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
+vulnerable_packages=( "mistune=3.0.1" "aiohttp=3.10.11" "cryptography=44.0.1" "h11=0.16.0" "jinja2=3.1.6" "jupyter_core=5.8.1" "protobuf=4.25.8" "requests=2.32.4" "setuptools=78.1.1" "transformers=4.52.1" "urllib3=2.5.0" "Werkzeug=3.0.6" "jupyter-lsp=2.2.2" "scrapy=2.11.2" \ 
                       "zipp=3.19.1" "tornado=6.4.2")
 
 # Define the number of rows (based on the length of vulnerable_packages)
@@ -26,8 +26,7 @@ done
 
 # Add an array for packages that should always pin to the provided version, 
 # even if higher version is available in conda channel
-pin_to_required_version=( "transformers" "cryptography" ) # Add package names as needed
-
+pin_to_required_version=("jupyter_core" "cryptography" )
 # Function to check if a package is in the pin_to_required_version array
 function is_pin_to_required_version() {
     local pkg="$1"

src/anaconda/manifest.json

@@ -1,5 +1,5 @@
 {
-	"version": "1.2.7",
+	"version": "1.2.8",
 	"build": {
 		"latest": true,
 		"rootDistro": "debian",

src/anaconda/test-project/test.sh

@@ -33,13 +33,16 @@ checkPythonPackageVersion "joblib" "1.2.0"
 checkPythonPackageVersion "cookiecutter" "2.1.1"
 checkPythonPackageVersion "mistune" "2.0.3"
 checkPythonPackageVersion "numpy" "1.22"
-checkPythonPackageVersion "setuptools" "70.0.0"
+checkPythonPackageVersion "setuptools" "78.1.1"
 checkPythonPackageVersion "wheel" "0.38.1"
 checkPythonPackageVersion "nbconvert" "6.5.1"
-checkPythonPackageVersion "werkzeug" "3.0.3"
+checkPythonPackageVersion "werkzeug" "3.0.6"
 checkPythonPackageVersion "certifi" "2022.12.07"
-checkPythonPackageVersion "cryptography" "43.0.1"
-checkPythonPackageVersion "transformers" "4.36.0"
+checkPythonPackageVersion "cryptography" "44.0.1"
+checkPythonPackageVersion "h11" "0.16.0"
+checkPythonPackageVersion "jupyter_core" "5.8.1"
+checkPythonPackageVersion "protobuf" "4.25.8"
+checkPythonPackageVersion "transformers" "4.52.1"
 checkPythonPackageVersion "mpmath" "1.3.0"
 checkPythonPackageVersion "aiohttp" "3.10.2"
 checkPythonPackageVersion "tornado" "6.4.2"
@@ -53,15 +56,15 @@ checkPythonPackageVersion "jupyter-lsp" "2.2.2"
 checkPythonPackageVersion "idna" "3.7"
 checkPythonPackageVersion "jinja2" "3.1.4"
 checkPythonPackageVersion "scrapy" "2.11.2"
-checkPythonPackageVersion "requests" "2.32.2"
+checkPythonPackageVersion "requests" "2.32.4"
 checkPythonPackageVersion "scikit-learn" "1.5.0"
 checkPythonPackageVersion "zipp" "3.19.1"
 
 checkCondaPackageVersion "pyopenssl" "24.2.1"
-checkCondaPackageVersion "requests" "2.32.2"
+checkCondaPackageVersion "requests" "2.32.4"
 checkCondaPackageVersion "pygments" "2.15.1"
 checkCondaPackageVersion "mpmath" "1.3.0"
-checkCondaPackageVersion "urllib3" "2.2.2"
+checkCondaPackageVersion "urllib3" "2.5.0"
 checkCondaPackageVersion "pyarrow" "14.0.1"
 checkCondaPackageVersion "pydantic" "2.5.3"
 checkCondaPackageVersion "tqdm" "4.66.4"

src/base-debian/.devcontainer/Dockerfile

@@ -1,5 +1,5 @@
-# [Choice] Debian version (use bullseye on local arm64/Apple Silicon): bookworm, bullseye, buster
-ARG VARIANT="bookworm"
+# [Choice] Debian version (use bullseye on local arm64/Apple Silicon): trixie, bookworm, bullseye, buster
+ARG VARIANT="trixie"
 FROM buildpack-deps:${VARIANT}-curl
 
 # [Optional] Uncomment this section to install additional OS packages.

src/base-debian/README.md

@@ -9,8 +9,8 @@
 | *Categories* | Core, Other |
 | *Image type* | Dockerfile |
 | *Published images* | mcr.microsoft.com/devcontainers/base:debian |
-| *Available image variants* | bookworm, bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/base/tags/list)) |
-| *Published image architecture(s)* | x86-64, aarch64/arm64 for `bookworm`, and `bullseye` variant |
+| *Available image variants* | trixie, bookworm, bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/base/tags/list)) |
+| *Published image architecture(s)* | x86-64, aarch64/arm64 for `trixie`, `bookworm`, and `bullseye` variant |
 | *Container host OS support* | Linux, macOS, Windows |
 | *Container OS* | Debian |
 | *Languages, platforms* | Any |
@@ -22,16 +22,17 @@ See **[history](history)** for information on the contents of published images.
 You can directly reference pre-built versions of `Dockerfile` by using the `image` property in `.devcontainer/devcontainer.json` or updating the `FROM` statement in your own `Dockerfile` to one of the following. An example `Dockerfile` is included in this repository.
 
 - `mcr.microsoft.com/devcontainers/base:debian` (latest)
+- `mcr.microsoft.com/devcontainers/base:trixie` (or `debian-13`)
 - `mcr.microsoft.com/devcontainers/base:bookworm` (or `debian-12`)
 - `mcr.microsoft.com/devcontainers/base:bullseye` (or `debian-11`)
 
 Refer to [this guide](https://containers.dev/guide/dockerfile) for more details.
 
 You can decide how often you want updates by referencing a [semantic version](https://semver.org/) of each image. For example:
 
-- `mcr.microsoft.com/devcontainers/base:1-bookworm`
-- `mcr.microsoft.com/devcontainers/base:1.0-bookworm`
-- `mcr.microsoft.com/devcontainers/base:1.0.0-bookworm`
+- `mcr.microsoft.com/devcontainers/base:1-trixie`
+- `mcr.microsoft.com/devcontainers/base:1.0-trixie`
+- `mcr.microsoft.com/devcontainers/base:1.0.0-trixie`
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/base/tags/list).
 

src/base-debian/manifest.json

@@ -1,13 +1,18 @@
 {
-	"version": "1.0.25",
+	"version": "2.0.0",
 	"variants": [
+		"trixie",
 		"bookworm",
 		"bullseye"
 	],
 	"build": {
-		"latest": "bookworm",
+		"latest": "trixie",
 		"rootDistro": "debian",
 		"architectures": {
+			"trixie": [
+				"linux/amd64",
+				"linux/arm64"
+			],
 			"bookworm": [
 				"linux/amd64",
 				"linux/arm64"
@@ -21,12 +26,16 @@
 			"base:${VERSION}-${VARIANT}"
 		],
 		"variantTags": {
-			"bookworm": [
-				"base:${VERSION}-debian-12",
-				"base:${VERSION}-debian12",
+			"trixie": [
+				"base:${VERSION}-debian-13",
+				"base:${VERSION}-debian13",
 				"base:${VERSION}-debian",
 				"base:${VERSION}"
 			],
+			"bookworm": [
+				"base:${VERSION}-debian-12",
+				"base:${VERSION}-debian12"
+			],
 			"bullseye": [
 				"base:${VERSION}-debian-11",
 				"base:${VERSION}-debian11"

src/go/.devcontainer/Dockerfile

@@ -1,6 +1,12 @@
-ARG VARIANT=1.25-bookworm
+ARG VARIANT=1.25-trixie
 FROM golang:${VARIANT}
 
+# Fixing vulnerability issue by upgrading svn to 1.14.5. Ref https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
+COPY ./scripts/install-subversion.sh /tmp/install-subversion.sh
+RUN chmod +x /tmp/install-subversion.sh
+RUN /tmp/install-subversion.sh \
+  && rm -f /tmp/install-subversion.sh
+
 # [Optional] Uncomment the next line to use go get to install anything else you need
 # RUN go get -x <your-dependency-or-tool>
 

src/go/.devcontainer/scripts/install-subversion.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -eux
+
+URL="https://archive.apache.org/dist/subversion/subversion-1.14.5.tar.gz"
+TMP="/tmp"
+TARBALL="subversion-1.14.5.tar.gz"
+SRCDIR="subversion-1.14.5"
+
+if wget -q -O "${TMP}/${TARBALL}" "${URL}"; then
+  echo "Downloaded ${TARBALL} — building..."
+  apt-get remove -y subversion libsvn1 || true
+  cd "${TMP}"
+  tar -xzf "${TARBALL}"
+  cd "${SRCDIR}"
+  apt-get update -y
+  apt-get install -y --no-install-recommends build-essential autoconf libtool libsqlite3-dev pkg-config libapr1-dev libaprutil1-dev liblz4-dev libutf8proc-dev zlib1g-dev
+  ./configure --with-lz4=internal --prefix=/usr
+  make -j"$(nproc 2>/dev/null || getconf _NPROCESSORS_ONLN 2>/dev/null || echo 1)"
+  make install
+  cd /
+  rm -rf "${TMP:?}/${SRCDIR}" "${TMP:?}/${TARBALL}"
+  apt-get purge -y --auto-remove build-essential autoconf libtool pkg-config
+  rm -rf /var/lib/apt/lists/*
+  echo "Subversion built and installed (build deps removed)"
+else
+  echo "Downloading svn source failed, skipping Subversion build"
+fi
+

src/go/README.md

@@ -10,8 +10,8 @@
 | *Categories* | Core, Languages |
 | *Definition type* | Dockerfile |
 | *Published images* | mcr.microsoft.com/devcontainers/go |
-| *Available image variants* | 1 / 1-bookworm, 1.25 / 1.25-bookworm, 1.24 / 1.24-bookworm, 1-bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/go/tags/list)) |
-| *Published image architecture(s)* | x86-64, arm64/aarch64 for `bookworm`, and `bullseye` variants |
+| *Available image variants* | 1 / 1-bookworm, 1.25 / 1.25-trixie, 1.24 / 1.24-bookworm, 1-bullseye ([full list](https://mcr.microsoft.com/v2/devcontainers/go/tags/list)) |
+| *Published image architecture(s)* | x86-64, arm64/aarch64 for `trixie`, `bookworm`, and `bullseye` variants |
 | *Container host OS support* | Linux, macOS, Windows |
 | *Container OS* | Debian |
 | *Languages, platforms* | Go |
@@ -23,19 +23,19 @@ See **[history](history)** for information on the contents of published images.
 You can directly reference pre-built versions of `Dockerfile` by using the `image` property in `.devcontainer/devcontainer.json` or updating the `FROM` statement in your own  `Dockerfile` to one of the following. An example `Dockerfile` is included in this repository.
 
 - `mcr.microsoft.com/devcontainers/go` (latest)
-- `mcr.microsoft.com/devcontainers/go:1` (or `1-bookworm`, `1-bullseye` to pin to an OS version)
-- `mcr.microsoft.com/devcontainers/go:1.25` (or `1.25-bookworm`, `1.25-bullseye` to pin to an OS version)
+- `mcr.microsoft.com/devcontainers/go:1` (or `1-trixie`, `1-bookworm`, `1-bullseye` to pin to an OS version)
+- `mcr.microsoft.com/devcontainers/go:1.25` (or `1.25-trixie`, `1.25-bookworm` to pin to an OS version)
 - `mcr.microsoft.com/devcontainers/go:1.24` (or `1.24-bookworm`, `1.24-bullseye` to pin to an OS version)
 
 Refer to [this guide](https://containers.dev/guide/dockerfile) for more details.
 
 You can decide how often you want updates by referencing a [semantic version](https://semver.org/) of each image. For example:
 
-- `mcr.microsoft.com/devcontainers/go:1-1.25` (or `1-1.25-bookworm`, `1-1.25-bullseye`)
+- `mcr.microsoft.com/devcontainers/go:1-1.25` (or `1-1.25-trixie`, `1-1.25-bookworm`)
 - `mcr.microsoft.com/devcontainers/go:1.4-1.25` (or `1.4-1.25-bookworm`, `1.4-1.25-bullseye`)
 - `mcr.microsoft.com/devcontainers/go:1.4.0-1.25` (or `1.4.0-1.25-bookworm`, `1.4.0-1.25-bullseye`)
 
-However, we only do security patching on the latest [non-breaking, in support](https://github.com/devcontainers/images/issues/90) versions of images (e.g. `1-1.24`). You may want to run `apt-get update && apt-get upgrade` in your Dockerfile if you lock to a more specific version to at least pick up OS security updates.
+However, we only do security patching on the latest [non-breaking, in support](https://github.com/devcontainers/images/issues/90) versions of images (e.g. `1-1.25`). You may want to run `apt-get update && apt-get upgrade` in your Dockerfile if you lock to a more specific version to at least pick up OS security updates.
 
 See [history](history) for information on the contents of each version and [here for a complete list of available tags](https://mcr.microsoft.com/v2/devcontainers/go/tags/list).
 

src/go/manifest.json

@@ -1,27 +1,32 @@
 {
-  "version": "1.4.5",
+  "version": "2.0.0",
   "variants": [
+    "1.25-trixie",
+    "1.24-trixie",
     "1.25-bookworm",
     "1.24-bookworm",
-    "1.25-bullseye",
     "1.24-bullseye"
   ],
   "build": {
-    "latest": "1.25-bookworm",
+    "latest": "1.25-trixie",
     "rootDistro": "debian",
     "tags": [
       "go:${VERSION}-${VARIANT}"
     ],
     "architectures": {
-      "1.25-bookworm": [
+      "1.25-trixie": [
         "linux/amd64",
         "linux/arm64"
       ],
-      "1.24-bookworm": [
+      "1.24-trixie": [
         "linux/amd64",
         "linux/arm64"
       ],
-      "1.25-bullseye": [
+      "1.25-bookworm": [
+        "linux/amd64",
+        "linux/arm64"
+      ],
+      "1.24-bookworm": [
         "linux/amd64",
         "linux/arm64"
       ],
@@ -31,21 +36,25 @@
       ]
     },
     "variantTags": {
-      "1.25-bookworm": [
+      "1.25-trixie": [
         "go:${VERSION}-1.25",
         "go:${VERSION}-1",
-        "go:${VERSION}-1-bookworm",
-        "go:${VERSION}-bookworm"
+        "go:${VERSION}-1-trixie",
+        "go:${VERSION}-trixie"
       ],
-      "1.24-bookworm": [
+      "1.24-trixie": [
         "go:${VERSION}-1.24",
         "go:${VERSION}-1",
+        "go:${VERSION}-1-trixie",
+        "go:${VERSION}-trixie"
+      ],
+      "1.25-bookworm": [
         "go:${VERSION}-1-bookworm",
         "go:${VERSION}-bookworm"
       ],
-      "1.25-bullseye": [
-        "go:${VERSION}-1-bullseye",
-        "go:${VERSION}-bullseye"
+      "1.24-bookworm": [
+        "go:${VERSION}-1-bookworm",
+        "go:${VERSION}-bookworm"
       ],
       "1.24-bullseye": [
         "go:${VERSION}-1-bullseye",