build: update base images and go modules to fix vulns#85
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates base container images, Nix flake inputs, and Go module dependencies to address vulnerability findings, and bumps the package version to 1.0.9. Alongside the dependency bumps, a large number of tool registration and test files have been reformatted (likely via gofmt/formatter changes) to break mcp.NewTool(...), mcp.WithString(...), mcp.WithNumber(...), Entry(...), and DescribeTable(...) arguments onto their own lines. There are no functional code changes.
Changes:
- Bump base UBI9 image digests (amd64/aarch64) and nixpkgs flake input to pick up vuln fixes.
- Upgrade Go dependencies:
mcp-go0.49.0→0.54.0,ginkgo2.28.2→2.29.0,gomega1.39.1→1.41.0, and various indirect deps; bumpversionto 1.0.9 with refreshedvendorHash. - Reformat tool/test files (no behavioral changes) to multi-line argument style.
Reviewed changes
Copilot reviewed 41 out of 43 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| docker-base-amd64.nix, docker-base-aarch64.nix | Update UBI9 base image digest and hash. |
| flake.lock | Bump nixpkgs revision. |
| package.nix | Bump pname version to 1.0.9 and update vendorHash. |
| go.mod, go.sum | Upgrade mcp-go, ginkgo, gomega, and indirect deps; add jsonschema/v6, dlclark/regexp2. |
| internal/infra/mcp/tools/tool_*.go | Reformat mcp.NewTool / WithString / WithNumber arg lists onto new lines (no logic change). |
| internal/infra/mcp/tools/tool_*_test.go | Reformat DescribeTable / Entry arg lists onto new lines (no logic change). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
davidag
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolved in the Go binary (stdlib)
LookupCNAMEwith cgo DNS, long CNAMEtransportParseAddress/ParseAddressListReverseProxyforwards query params not visible upstreamhtml/template<script>tagDial/LookupPortpanic on NUL byte (Windows)consumePhraseduring parsingResolved in the base image (UBI9 mini)
libcapTOCTOU incap_set_file()glib2buffer underflow in GVariant parserglib2integer overflow in GIO attribute escapingsystemd-libsRCE/DoS via spurious IPC