security: go 1.25.11 + microdnf update UBI9 base (94 -> 8 CVEs, 0 CRITICAL)#289
Merged
Merged
Conversation
Takes the node-agent image from 94 fixable CVEs to 8 (CRITICAL 0): - GO_VERSION 1.25.0 -> 1.25.11 clears the Go stdlib CRITICAL (CVE-2025-68121) and all stdlib HIGH/MEDIUM in the nudgebee-node-agent binary. - `microdnf update` patches the pinned ubi9/ubi-minimal base (gnutls, openssl-libs, glibc, krb5-libs, ...) which shipped stale. - The rebuild also picks up main's already-bumped modules (x/net v0.55.0, containerd v1.7.33, mongo-driver v1.17.9, otel v1.44.0, cilium v1.17.15). Verified: rebuilt image scans 8 fixable / 0 CRITICAL (was 94); the agent binary runs (`nudgebee-node-agent --help`). The remaining 8 are risky/large go-module bumps (docker v28->v29 major, prometheus v0.51->v0.311, cilium 1.17.16, xz 0.5.15) that need coroot-fork alignment + integration testing — deferred to a separate dependency PR.
There was a problem hiding this comment.
Code Review
This pull request updates the Go version to 1.25.11 in the builder stage and adds a package update and cleanup step to the runtime stage in the Dockerfile. The reviewer suggested optimizing the image size by disabling weak dependencies during package installation.
RamanKharchee
approved these changes
Jul 9, 2026
blue4209211
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Takes the
node-agentimage from 94 fixable CVEs to 8, and CRITICAL to 0, with a Dockerfile-only change (nogo.modsurgery):GO_VERSION1.25.0 → 1.25.11 — clears the Go stdlib CRITICAL (CVE-2025-68121) and all stdlib HIGH/MEDIUM in thenudgebee-node-agentbinary.microdnf updateon the runtime stage — patches the pinnedubi9/ubi-minimalbase (gnutls, openssl-libs, glibc, krb5-libs, …) which ships stale.main's already-bumped modules (x/net v0.55.0, containerd v1.7.33, mongo-driver v1.17.9, otel v1.44.0, cilium v1.17.15) that the stale:0.1.0image predated.Verification
Rebuilt the image locally: 8 fixable / 0 CRITICAL (was 94), and the agent binary runs (
nudgebee-node-agent --help).Remaining 8 (deferred)
All in the agent binary, all risky/large go-module bumps that need coroot-fork alignment + integration testing:
github.com/docker/dockerv28 → v29 (major)github.com/prometheus/prometheusv0.51 → v0.311 (large)github.com/cilium/ciliumv1.17.15 → 1.17.16 (patch),github.com/ulikunitz/xz0.5.14 → 0.5.15 (patch)These belong in a separate, tested dependency PR — a major docker/prometheus bump in an eBPF agent shouldn't ride along with an OS/toolchain hardening change.
Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).