Commit c6f5792
authored
fix(ci): bump ci-image tooling versions to address vendored CVEs (#929)
Bumps the CI image tool pins to clear High-severity container findings
flagged by nSpect against ghcr.io/nvidia/openshell/ci. These tools
vendor the Go modules reported in the nSpect tracker.
Changes:
- DOCKER_VERSION 29.3.1 -> 29.4.1
- BUILDX_VERSION v0.32.1 -> v0.33.0 (bundles buildkit v0.29.0,
supersedes 0.28.1 fix)
- GH_VERSION 2.74.1 -> 2.91.0
- MISE_VERSION v2026.3.13 -> v2026.4.18
Covers (via vendored deps in the above binaries):
- GHSA-p77j-4mvh-x3m3 grpc-go authorization bypass
- GHSA-4c29-8rgm-jvjj BuildKit malicious-frontend file escape
- GHSA-4vrq-3vrq-g6gg BuildKit Git subdir access to restricted files
- GHSA-9h8m-3fm2-qjrq OpenTelemetry Go SDK PATH hijacking
- GHSA-92mm-2pjq-r785 hashicorp/go-getter arbitrary file reads
- GHSA-78h2-9frx-2jm8 go-jose JWE decryption panic
- GHSA-4qg8-fj49-pxjh sigstore timestamp-authority excessive memory
- GHSA-x744-4wpc-v9h2 Moby AuthZ plugin bypass
Signed-off-by: John Myers <9696606+johntmyers@users.noreply.github.com>1 parent 89dd10b commit c6f5792
1 file changed
Lines changed: 4 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
12 | | - | |
| 11 | + | |
| 12 | + | |
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| |||
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
58 | | - | |
| 58 | + | |
59 | 59 | | |
60 | 60 | | |
61 | 61 | | |
| |||
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
68 | | - | |
| 68 | + | |
69 | 69 | | |
70 | 70 | | |
71 | 71 | | |
| |||
0 commit comments