Bump postgres to 18.3-alpine to reduce CVE surface area by jjamroga · Pull Request #1691 · kagent-dev/kagent

jjamroga · 2026-04-17T20:57:30Z

CVE Scan for postgres:18.3-alpine

| CVE ID         | SEVERITY | PACKAGE      | FIXED IN                     | SCANNERS                    |
|----------------|----------|--------------|------------------------------|-----------------------------|
| CVE-2025-68121 | CRITICAL | stdlib       | 1.24.13, 1.25.7, 1.26.0-rc.3 | grype, trivy                |
| CVE-2025-58183 | HIGH     | stdlib       | 1.24.8, 1.25.2               | grype(MEDIUM), trivy(HIGH)  |
| CVE-2025-58187 | HIGH     | stdlib       | 1.24.9, 1.25.3               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-58188 | HIGH     | stdlib       | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61723 | HIGH     | stdlib       | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61725 | HIGH     | stdlib       | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61726 | HIGH     | stdlib       | 1.24.12, 1.25.6              | grype, trivy                |
| CVE-2025-61728 | HIGH     | stdlib       | 1.24.12, 1.25.6              | grype(MEDIUM), trivy(HIGH)  |
| CVE-2025-61729 | HIGH     | stdlib       | 1.24.11, 1.25.5              | grype, trivy                |
| CVE-2025-61731 | HIGH     | stdlib       | 1.24.12, 1.25.6              | grype                       |
| CVE-2025-61732 | HIGH     | stdlib       | 1.24.13, 1.25.7              | grype                       |
| CVE-2026-25679 | HIGH     | stdlib       | 1.25.8, 1.26.1               | grype, trivy                |
| CVE-2026-27135 | HIGH     | nghttp2-libs | n/a                          | grype                       |
| CVE-2026-27140 | HIGH     | stdlib       | 1.25.9, 1.26.2               | grype                       |
| CVE-2026-32280 | HIGH     | stdlib       | 1.25.9, 1.26.2               | grype, trivy                |
| CVE-2026-32281 | HIGH     | stdlib       | 1.25.9, 1.26.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-32282 | HIGH     | stdlib       | 1.25.9, 1.26.2               | grype(MEDIUM), trivy(HIGH)  |
| CVE-2026-32283 | HIGH     | stdlib       | 1.25.9, 1.26.2               | grype(HIGH), trivy(UNKNOWN) |

CVE Scan for postgres:18

| CVE ID         | SEVERITY | PACKAGE                 | FIXED IN                     | SCANNERS                    |
|----------------|----------|-------------------------|------------------------------|-----------------------------|
| CVE-2025-68121 | CRITICAL | stdlib                  | 1.24.13, 1.25.7, 1.26.0-rc.3 | grype, trivy                |
| CVE-2025-13151 | HIGH     | libtasn1-6              | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-58183 | HIGH     | stdlib                  | 1.24.8, 1.25.2               | grype(MEDIUM), trivy(HIGH)  |
| CVE-2025-58187 | HIGH     | stdlib                  | 1.24.9, 1.25.3               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-58188 | HIGH     | stdlib                  | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61723 | HIGH     | stdlib                  | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61725 | HIGH     | stdlib                  | 1.24.8, 1.25.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2025-61726 | HIGH     | stdlib                  | 1.24.12, 1.25.6              | grype, trivy                |
| CVE-2025-61728 | HIGH     | stdlib                  | 1.24.12, 1.25.6              | grype(MEDIUM), trivy(HIGH)  |
| CVE-2025-61729 | HIGH     | stdlib                  | 1.24.11, 1.25.5              | grype, trivy                |
| CVE-2025-61731 | HIGH     | stdlib                  | 1.24.12, 1.25.6              | grype                       |
| CVE-2025-61732 | HIGH     | stdlib                  | 1.24.13, 1.25.7              | grype                       |
| CVE-2025-69720 | HIGH     | libncursesw6            | n/a                          | grype, trivy                |
| CVE-2025-69720 | HIGH     | libtinfo6               | n/a                          | grype, trivy                |
| CVE-2025-69720 | HIGH     | ncurses-base            | n/a                          | grype, trivy                |
| CVE-2025-69720 | HIGH     | ncurses-bin             | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | dirmngr                 | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gnupg                   | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gnupg-l10n              | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gpg                     | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gpg-agent               | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gpgconf                 | n/a                          | grype, trivy                |
| CVE-2026-24882 | HIGH     | gpgsm                   | n/a                          | grype, trivy                |
| CVE-2026-25679 | HIGH     | stdlib                  | 1.25.8, 1.26.1               | grype, trivy                |
| CVE-2026-2673  | HIGH     | libssl3t64              | 3.5.5-1~deb13u2              | grype(HIGH), trivy(LOW)     |
| CVE-2026-2673  | HIGH     | openssl                 | 3.5.5-1~deb13u2              | grype(HIGH), trivy(LOW)     |
| CVE-2026-2673  | HIGH     | openssl-provider-legacy | 3.5.5-1~deb13u2              | grype(HIGH), trivy(LOW)     |
| CVE-2026-27140 | HIGH     | stdlib                  | 1.25.9, 1.26.2               | grype                       |
| CVE-2026-28388 | HIGH     | libssl3t64              | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28388 | HIGH     | openssl                 | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28388 | HIGH     | openssl-provider-legacy | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28389 | HIGH     | libssl3t64              | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28389 | HIGH     | openssl                 | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28389 | HIGH     | openssl-provider-legacy | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-28390 | HIGH     | libssl3t64              | 3.5.5-1~deb13u2              | grype, trivy                |
| CVE-2026-28390 | HIGH     | openssl                 | 3.5.5-1~deb13u2              | grype, trivy                |
| CVE-2026-28390 | HIGH     | openssl-provider-legacy | 3.5.5-1~deb13u2              | grype, trivy                |
| CVE-2026-29111 | HIGH     | libsystemd0             | n/a                          | grype(MEDIUM), trivy(HIGH)  |
| CVE-2026-29111 | HIGH     | libudev1                | n/a                          | grype(MEDIUM), trivy(HIGH)  |
| CVE-2026-31790 | HIGH     | libssl3t64              | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-31790 | HIGH     | openssl                 | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-31790 | HIGH     | openssl-provider-legacy | 3.5.5-1~deb13u2              | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-32280 | HIGH     | stdlib                  | 1.25.9, 1.26.2               | grype, trivy                |
| CVE-2026-32281 | HIGH     | stdlib                  | 1.25.9, 1.26.2               | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-32282 | HIGH     | stdlib                  | 1.25.9, 1.26.2               | grype(MEDIUM), trivy(HIGH)  |
| CVE-2026-32283 | HIGH     | stdlib                  | 1.25.9, 1.26.2               | grype(HIGH), trivy(UNKNOWN) |
| CVE-2026-4046  | HIGH     | libc-bin                | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4046  | HIGH     | libc-l10n               | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4046  | HIGH     | libc6                   | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4046  | HIGH     | locales                 | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4437  | HIGH     | libc-bin                | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4437  | HIGH     | libc-l10n               | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4437  | HIGH     | libc6                   | n/a                          | grype(HIGH), trivy(MEDIUM)  |
| CVE-2026-4437  | HIGH     | locales                 | n/a                          | grype(HIGH), trivy(MEDIUM)  |

Copilot

Pull request overview

Updates the bundled PostgreSQL image tag used by the Helm chart, and adjusts repository ignore rules for IDE files.

Changes:

Bump bundled PostgreSQL image tag from 18 to 18.3-alpine in the kagent Helm values.
Start ignoring JetBrains .idea/ directories at the repo level.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
`helm/kagent/values.yaml`	Updates the default bundled Postgres image tag to `18.3-alpine`.
`.gitignore`	Uncomments `.idea/` to ignore JetBrains project metadata.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-04-17T20:59:13Z

        name: postgres
        # -- Bundled PostgreSQL image tag
-        tag: "18"
+        tag: "18.3-alpine"


Changing the default bundled Postgres tag will break existing Helm unit tests and docs that still assert docker.io/library/postgres:18 as the default image (e.g., helm/kagent/tests/postgresql_test.yaml asserts the default image). Update those references to match the new default tag so CI and documentation remain consistent.

Signed-off-by: Jonathan Jamroga <jjamroga@gmail.com>

) CVE Scan for postgres:18.3-alpine ``` | CVE ID | SEVERITY | PACKAGE | FIXED IN | SCANNERS | |----------------|----------|--------------|------------------------------|-----------------------------| | CVE-2025-68121 | CRITICAL | stdlib | 1.24.13, 1.25.7, 1.26.0-rc.3 | grype, trivy | | CVE-2025-58183 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(MEDIUM), trivy(HIGH) | | CVE-2025-58187 | HIGH | stdlib | 1.24.9, 1.25.3 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-58188 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61723 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61725 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61726 | HIGH | stdlib | 1.24.12, 1.25.6 | grype, trivy | | CVE-2025-61728 | HIGH | stdlib | 1.24.12, 1.25.6 | grype(MEDIUM), trivy(HIGH) | | CVE-2025-61729 | HIGH | stdlib | 1.24.11, 1.25.5 | grype, trivy | | CVE-2025-61731 | HIGH | stdlib | 1.24.12, 1.25.6 | grype | | CVE-2025-61732 | HIGH | stdlib | 1.24.13, 1.25.7 | grype | | CVE-2026-25679 | HIGH | stdlib | 1.25.8, 1.26.1 | grype, trivy | | CVE-2026-27135 | HIGH | nghttp2-libs | n/a | grype | | CVE-2026-27140 | HIGH | stdlib | 1.25.9, 1.26.2 | grype | | CVE-2026-32280 | HIGH | stdlib | 1.25.9, 1.26.2 | grype, trivy | | CVE-2026-32281 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-32282 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(MEDIUM), trivy(HIGH) | | CVE-2026-32283 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(HIGH), trivy(UNKNOWN) | ``` CVE Scan for postgres:18 ``` | CVE ID | SEVERITY | PACKAGE | FIXED IN | SCANNERS | |----------------|----------|-------------------------|------------------------------|-----------------------------| | CVE-2025-68121 | CRITICAL | stdlib | 1.24.13, 1.25.7, 1.26.0-rc.3 | grype, trivy | | CVE-2025-13151 | HIGH | libtasn1-6 | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2025-58183 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(MEDIUM), trivy(HIGH) | | CVE-2025-58187 | HIGH | stdlib | 1.24.9, 1.25.3 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-58188 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61723 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61725 | HIGH | stdlib | 1.24.8, 1.25.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2025-61726 | HIGH | stdlib | 1.24.12, 1.25.6 | grype, trivy | | CVE-2025-61728 | HIGH | stdlib | 1.24.12, 1.25.6 | grype(MEDIUM), trivy(HIGH) | | CVE-2025-61729 | HIGH | stdlib | 1.24.11, 1.25.5 | grype, trivy | | CVE-2025-61731 | HIGH | stdlib | 1.24.12, 1.25.6 | grype | | CVE-2025-61732 | HIGH | stdlib | 1.24.13, 1.25.7 | grype | | CVE-2025-69720 | HIGH | libncursesw6 | n/a | grype, trivy | | CVE-2025-69720 | HIGH | libtinfo6 | n/a | grype, trivy | | CVE-2025-69720 | HIGH | ncurses-base | n/a | grype, trivy | | CVE-2025-69720 | HIGH | ncurses-bin | n/a | grype, trivy | | CVE-2026-24882 | HIGH | dirmngr | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gnupg | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gnupg-l10n | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gpg | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gpg-agent | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gpgconf | n/a | grype, trivy | | CVE-2026-24882 | HIGH | gpgsm | n/a | grype, trivy | | CVE-2026-25679 | HIGH | stdlib | 1.25.8, 1.26.1 | grype, trivy | | CVE-2026-2673 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | grype(HIGH), trivy(LOW) | | CVE-2026-2673 | HIGH | openssl | 3.5.5-1~deb13u2 | grype(HIGH), trivy(LOW) | | CVE-2026-2673 | HIGH | openssl-provider-legacy | 3.5.5-1~deb13u2 | grype(HIGH), trivy(LOW) | | CVE-2026-27140 | HIGH | stdlib | 1.25.9, 1.26.2 | grype | | CVE-2026-28388 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28388 | HIGH | openssl | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28388 | HIGH | openssl-provider-legacy | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28389 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28389 | HIGH | openssl | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28389 | HIGH | openssl-provider-legacy | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-28390 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | grype, trivy | | CVE-2026-28390 | HIGH | openssl | 3.5.5-1~deb13u2 | grype, trivy | | CVE-2026-28390 | HIGH | openssl-provider-legacy | 3.5.5-1~deb13u2 | grype, trivy | | CVE-2026-29111 | HIGH | libsystemd0 | n/a | grype(MEDIUM), trivy(HIGH) | | CVE-2026-29111 | HIGH | libudev1 | n/a | grype(MEDIUM), trivy(HIGH) | | CVE-2026-31790 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-31790 | HIGH | openssl | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-31790 | HIGH | openssl-provider-legacy | 3.5.5-1~deb13u2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-32280 | HIGH | stdlib | 1.25.9, 1.26.2 | grype, trivy | | CVE-2026-32281 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(HIGH), trivy(MEDIUM) | | CVE-2026-32282 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(MEDIUM), trivy(HIGH) | | CVE-2026-32283 | HIGH | stdlib | 1.25.9, 1.26.2 | grype(HIGH), trivy(UNKNOWN) | | CVE-2026-4046 | HIGH | libc-bin | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4046 | HIGH | libc-l10n | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4046 | HIGH | libc6 | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4046 | HIGH | locales | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4437 | HIGH | libc-bin | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4437 | HIGH | libc-l10n | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4437 | HIGH | libc6 | n/a | grype(HIGH), trivy(MEDIUM) | | CVE-2026-4437 | HIGH | locales | n/a | grype(HIGH), trivy(MEDIUM) | ``` --------- Signed-off-by: Jonathan Jamroga <jjamroga@gmail.com> Co-authored-by: Eitan Yarmush <eitan.yarmush@solo.io>

Copilot AI review requested due to automatic review settings April 17, 2026 20:57

jjamroga requested review from EItanya, ilackarms, peterj and yuval-k as code owners April 17, 2026 20:57

Copilot started reviewing on behalf of jjamroga April 17, 2026 20:57 View session

Copilot AI reviewed Apr 17, 2026

View reviewed changes

jjamroga added 2 commits April 17, 2026 16:59

Bump postgres to 18.3 and use alpine to reduce CVE surface area

5d74a74

Signed-off-by: Jonathan Jamroga <jjamroga@gmail.com>

Ignore .idea

2f5a611

Signed-off-by: Jonathan Jamroga <jjamroga@gmail.com>

jjamroga force-pushed the jjamroga/bump-postgres branch from fb3c5ff to 2f5a611 Compare April 17, 2026 20:59

Fix unit tests

ca42b55

Signed-off-by: Jonathan Jamroga <jjamroga@gmail.com>

jjamroga force-pushed the jjamroga/bump-postgres branch from 9a89f3e to ca42b55 Compare April 17, 2026 21:06

jjamroga changed the title ~~Bump postgres to 18.3-alpine~~ Bump postgres to 18.3-alpine to reduce CVE surface area Apr 17, 2026

Merge branch 'main' into jjamroga/bump-postgres

28de107

EItanya merged commit 8a45eff into kagent-dev:main Apr 18, 2026
23 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump postgres to 18.3-alpine to reduce CVE surface area#1691

Bump postgres to 18.3-alpine to reduce CVE surface area#1691
EItanya merged 4 commits intokagent-dev:mainfrom
jjamroga:jjamroga/bump-postgres

jjamroga commented Apr 17, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Apr 17, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

jjamroga commented Apr 17, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Apr 17, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants