Skip to content

security: fix S360 container image vulnerabilities (2026-07-06)#188

Open
hippogr wants to merge 3 commits into
devfrom
ruigao/security-fix-20260706
Open

security: fix S360 container image vulnerabilities (2026-07-06)#188
hippogr wants to merge 3 commits into
devfrom
ruigao/security-fix-20260706

Conversation

@hippogr

@hippogr hippogr commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
  • Upgrade Go toolchain 1.25.10 -> 1.25.11 (kube-scheduler, openpai-runtime, k8s-nvidia-device-plugin, k8s-rocm-device-plugin)
  • Upgrade kube-scheduler runtime base image to go-runner go1.25.11
  • Upgrade nerdctl 2.3.1 -> 2.3.4 in job-exporter (fixes containerd v2.3.2)
  • Add go.mongodb.org/mongo-driver@v1.17.7 to cilium-agent
  • Update Node.js resolutions: form-data ^4.0.6, morgan >=1.11.0, joi >=17.13.4, js-yaml ^4.2.0, dompurify >=3.4.9, nodemailer ^8.0.9, linkify-it >=5.0.1 (rest-server, webportal, database-controller, alert-handler, job-status-change-notification)
  • Rebuild all images with no-cache to pick up OS package updates (openssl, libcrypto3, libssh2, libsqlite3, tar, libsystemd0, curl, etc.)

- Upgrade Go toolchain 1.25.10 -> 1.25.11 (kube-scheduler, openpai-runtime,
  k8s-nvidia-device-plugin, k8s-rocm-device-plugin)
- Upgrade kube-scheduler runtime base image to go-runner go1.25.11
- Upgrade nerdctl 2.3.1 -> 2.3.4 in job-exporter (fixes containerd v2.3.2)
- Add go.mongodb.org/mongo-driver@v1.17.7 to cilium-agent
- Update Node.js resolutions: form-data ^4.0.6, morgan >=1.11.0,
  joi >=17.13.4, js-yaml ^4.2.0, dompurify >=3.4.9, nodemailer ^8.0.9,
  linkify-it >=5.0.1 (rest-server, webportal, database-controller,
  alert-handler, job-status-change-notification)
- Rebuild all images with no-cache to pick up OS package updates
  (openssl, libcrypto3, libssh2, libsqlite3, tar, libsystemd0, curl, etc.)

Co-Authored-By: Claude <noreply@anthropic.com>
- Update comments in cilium-agent and cilium-operator Dockerfiles
- Fix go mod tidy version in k8s-rocm-device-plugin

Co-Authored-By: Claude <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR focuses on remediating S360 container image vulnerabilities by upgrading several base toolchains (notably Go and nerdctl) and tightening Node.js dependency versions via Yarn resolutions/lockfile updates across multiple services.

Changes:

  • Bump Go patch versions across multiple build Dockerfiles (including kube-scheduler runtime base image) and rebuild images to pick up OS package updates.
  • Update Node.js dependency constraints and lockfiles (morgan, form-data, js-yaml, joi, dompurify, nodemailer, linkify-it) across rest-server, webportal, database-controller, and alert-manager components.
  • Upgrade job-exporter’s embedded nerdctl build to 2.3.4 and adjust build steps accordingly; add mongo-driver version forcing in cilium-agent build.

Reviewed changes

Copilot reviewed 12 out of 16 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
src/webportal/package.json Updates morgan and raises resolution floors (incl. dompurify/form-data) for webportal dependencies.
src/rest-server/package.json Adds/updates security-focused Yarn resolutions for several dependencies.
src/rest-server/yarn.lock Lockfile refresh reflecting new resolved dependency graph (incl. js-yaml/morgan/joi changes).
src/openpai-runtime/build/openpai-runtime.common.dockerfile Bumps golang builder images to 1.25.11 to pick up security fixes.
src/job-exporter/build/job-exporter.common.dockerfile Upgrades nerdctl build version to 2.3.4 and simplifies module patching steps.
src/hivedscheduler/build/kube-scheduler.k8s.dockerfile Updates kube-scheduler runtime base image tag to go1.25.11.
src/device-plugin/build/k8s-rocm-device-plugin.k8s.dockerfile Updates Go builder image and go.mod toolchain edit to 1.25.11.
src/device-plugin/build/k8s-nvidia-device-plugin.k8s.dockerfile Updates Go builder image to 1.25.11.
src/database-controller/src/package.json Updates Yarn resolutions to force patched dependency versions.
src/database-controller/src/yarn.lock Lockfile refresh reflecting updated security resolutions (incl. js-yaml/joi).
src/cilium/build/cilium-agent.common.dockerfile Adds explicit go.mongodb.org/mongo-driver version forcing during the build.
src/alert-manager/src/job-status-change-notification/package.json Updates Yarn resolutions (form-data, nodemailer, joi floor).
src/alert-manager/src/job-status-change-notification/yarn.lock Lockfile refresh reflecting updated resolution results.
src/alert-manager/src/alert-handler/package.json Updates Yarn resolutions (form-data, nodemailer, js-yaml, joi, linkify-it).
src/alert-manager/src/alert-handler/yarn.lock Lockfile refresh reflecting updated resolution results.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/webportal/package.json
Comment thread src/rest-server/package.json
Comment thread src/rest-server/package.json
Comment thread src/database-controller/src/package.json
Comment thread src/database-controller/src/package.json
Comment thread src/alert-manager/src/alert-handler/package.json
Comment thread src/alert-manager/src/alert-handler/package.json
Comment thread src/alert-manager/src/job-status-change-notification/package.json
Update npm overrides to match yarn resolutions so both package managers
produce consistent results.

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants