fix(security): bump container dependencies to remediate 10 CVEs (#736)

johntmyers · web-flow · commit dd8dd8a60cce · 2026-04-02T09:50:36.000-07:00
- k3s v1.35.2-k3s1 -> v1.35.3-k3s1 (containerd v2.2.2, runc v1.4.1, Go 1.25.7) - Docker CLI 29.3.0 -> 29.3.1 (Go 1.25.8, containerd v2.2.2) - syft 1.42.2 -> 1.42.3 (bumps buger/jsonparser) - Explicit gpgv and python3 upgrades in all container images Addresses: GHSA-p77j-4mvh-x3m3 (Critical), GHSA-pwhc-rpq9-4c8w, GHSA-p436-gjf2-799p, GHSA-9h8m-3fm2-qjrq, GHSA-6v2p-p543-phr9, GHSA-6g7g-w4f8-9c9x, GHSA-4qg8-fj49-pxjh, CVE-2026-4519, CVE-2025-68973, CVE-2024-36623 Closes #735
diff --git a/deploy/docker/Dockerfile.ci b/deploy/docker/Dockerfile.ci
@@ -8,7 +8,7 @@
 
 FROM nvcr.io/nvidia/base/ubuntu:noble-20251013
 
-ARG DOCKER_VERSION=29.3.0
+ARG DOCKER_VERSION=29.3.1
 ARG BUILDX_VERSION=v0.32.1
 ARG TARGETARCH
 
@@ -34,6 +34,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     xz-utils \
     jq \
     rsync \
+    && apt-get install -y --only-upgrade gpgv python3 \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Docker CLI and buildx plugin used by CI jobs
diff --git a/deploy/docker/Dockerfile.images b/deploy/docker/Dockerfile.images
@@ -15,8 +15,8 @@
 # Pin by tag AND manifest-list digest to prevent silent upstream republishes
 # from breaking the build. Update both when bumping k3s versions.
 # To refresh: docker buildx imagetools inspect rancher/k3s:<tag> | head -3
-ARG K3S_VERSION=v1.35.2-k3s1
-ARG K3S_DIGEST=sha256:c3184157c3048112bab0c3e17405991da486cb3413511eba23f7650efd70776b
+ARG K3S_VERSION=v1.35.3-k3s1
+ARG K3S_DIGEST=sha256:4607083d3cac07e1ccde7317297271d13ed5f60f35a78f33fcef84858a9f1d69
 ARG K9S_VERSION=v0.50.18
 ARG HELM_VERSION=v3.17.3
 ARG NVIDIA_CONTAINER_TOOLKIT_VERSION=1.18.2-1
@@ -165,7 +165,9 @@ COPY --from=supervisor-builder /build/out/openshell-sandbox /openshell-sandbox
 FROM nvcr.io/nvidia/base/ubuntu:noble-20251013 AS gateway
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates && rm -rf /var/lib/apt/lists/*
+    ca-certificates && \
+    apt-get install -y --only-upgrade gpgv && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN useradd --create-home --user-group openshell
 
@@ -230,6 +232,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     iptables \
     mount \
     dnsutils \
+    && apt-get install -y --only-upgrade gpgv \
     && rm -rf /var/lib/apt/lists/*
 
 COPY --from=k3s /bin/ /bin/
diff --git a/mise.toml b/mise.toml
@@ -20,7 +20,7 @@ uv = "0.10.2"
 protoc = "29.6"
 helm = "4.1.1"
 "ubi:mozilla/sccache" = { version = "0.14.0", matching = "sccache-v" }
-"ubi:anchore/syft" = { version = "1.42.2", matching = "syft_" }
+"ubi:anchore/syft" = { version = "1.42.3", matching = "syft_" }
 "ubi:EmbarkStudios/cargo-about" = "0.8.4"
 
 [env]
