Skip to content

fix: upgrade Alpine packages to resolve CVEs#1114

Merged
brendan-kellam merged 1 commit intomainfrom
fix/apk-upgrade-cves
Apr 14, 2026
Merged

fix: upgrade Alpine packages to resolve CVEs#1114
brendan-kellam merged 1 commit intomainfrom
fix/apk-upgrade-cves

Conversation

@brendan-kellam
Copy link
Copy Markdown
Contributor

@brendan-kellam brendan-kellam commented Apr 14, 2026
edited by coderabbitai bot
Loading

Summary

  • Adds apk upgrade --no-cache to the runner stage in the Dockerfile to pull in patched Alpine packages
  • Fixes 4 CVEs flagged by Trivy (2 HIGH, 2 MEDIUM) in musl-utils and zlib:
    • CVE-2026-40200 (HIGH) — musl: arbitrary code execution via stack-based overflow
    • CVE-2026-6042 (MEDIUM) — musl: denial of service via inefficient GB18030 decoding
    • CVE-2026-22184 (HIGH) — zlib: arbitrary code execution via buffer overflow in untgz
    • CVE-2026-27171 (MEDIUM) — zlib: denial of service via infinite loop in CRC32 combine

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated Docker build process to include Alpine package index upgrade during dependency installation, ensuring fresher and more patched versions of packages in the containerized environment.

@brendan-kellam @claude
fix: upgrade Alpine packages to resolve CVEs in musl-utils and zlib
005f3d7 
Adds `apk upgrade --no-cache` to the runner stage to pull in patched
versions of musl-utils (>=1.2.5-r23) and zlib (>=1.3.2-r0), fixing:
- CVE-2026-40200 (HIGH) - musl arbitrary code execution
- CVE-2026-6042 (MEDIUM) - musl denial of service
- CVE-2026-22184 (HIGH) - zlib buffer overflow
- CVE-2026-27171 (MEDIUM) - zlib denial of service

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026

@brendan-kellam your pull request is missing a changelog!

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 14, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a3a89a04-0410-4595-a2d4-4ebc94fd7585

📥 Commits

Reviewing files that changed from the base of the PR and between a91e421 and 005f3d7.

📒 Files selected for processing (1)
  • Dockerfile

Walkthrough

The Dockerfile was modified to add an Alpine package index upgrade step (apk upgrade --no-cache) immediately after the existing dependency installation command, while preserving the existing package set and installation flags.

Changes

Cohort / File(s) Summary
Docker Build Configuration
Dockerfile		 Added apk upgrade --no-cache command following the package installation step to refresh the Alpine package index.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/apk-upgrade-cves

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@brendan-kellam brendan-kellam merged commit ca8a0d3 into main Apr 14, 2026
7 of 8 checks passed
@brendan-kellam brendan-kellam deleted the fix/apk-upgrade-cves branch April 14, 2026 23:41
@github-actions github-actions bot mentioned this pull request Apr 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam