Set newer version of alpine and upgrade base packages in dockerfile to fix critical CVE#882
Conversation
…o fix critical CVEs
| RUN --mount=type=cache,target=/etc/apk/cache \ | ||
| apk add git gcompat | ||
| apk update && \ | ||
| apk upgrade --no-cache && \ |
There was a problem hiding this comment.
The new base image is still vulnerable, so with the update and upgrade it ensures the vulnerable packages get updated. Feel free to remove it after the base image gets updated to a version no longer vulnerable
|
Ok can you add a to-do comment saying as much. Thanks.
…On Sat, 7 Feb 2026, 09:36 Ilansos, ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In Dockerfile
<#882 (comment)>:
>
# Build cache optimization: use cache mounts
# https://docs.docker.com/build/cache/optimize/#use-cache-mounts Mounting
# /etc/apk/cache with type=cache lets the image build system handle apk's cache
# for us, without leaving any cache files in the image itself.
RUN --mount=type=cache,target=/etc/apk/cache \
- apk add git gcompat
+ apk update && \
+ apk upgrade --no-cache && \
The new base image is still vulnerable, so with the update and upgrade it
ensures the vulnerable packages get updated. Feel free to remove it after
the base image gets updated to a version no longer vulnerable
—
Reply to this email directly, view it on GitHub
<#882 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAASPUB4T6GGFBWE72EMKED4KWW2NAVCNFSM6AAAAACUIUL2ACVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTONRWG43TQOJXGQ>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
… && upgrade packages
Sure, I just add it in a new commit |
|
@Ilansos Thank you, merged. |
🤖 I have created a release *beep* *boop* --- ## [0.5.8](v0.5.7...v0.5.8) (2026-02-09) ### Features * **ui:** revamp menu layout ([#884](#884)) ([0510bce](0510bce)) ### Bug Fixes * **charts/otfd:** Adjust indentation for volume mounts in deployment.yaml ([#881](#881)) ([67341d3](67341d3)) * **dockerfile:** bump alpine version and upgrade base packages to fix critical CVE ([#882](#882)) ([3e730d7](3e730d7)) * sync layout templ code ([3cf0505](3cf0505)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2 participants
Summary:
Update the Alpine base image and ensure base packages are upgraded during the Docker build to pull in upstream security fixes. This reduces the CVE surface area for all multi-stage targets (otfd, otf-agent, otf-job) since they all inherit from the shared base stage.
Security impact
These changes resolve the following vulnerabilities detected in the image:
CVE-2026-24515 (Critical) – libexpat updated 2.7.3-r0 → 2.7.4-r0
CVE-2026-25210 (Medium) – libexpat updated 2.7.3-r0 → 2.7.4-r0
CVE-2025-68121 – stdlib updated v1.25.6 → 1.25.7 (also fixed in 1.24.13 / 1.26.0-rc.3)
Testing
Built locally and deployed in kubernetes with no detected issues.
Verified updated packages are present in the resulting image (scanner output shows CVEs above are no longer reported)