Skip to content

security: bump cilium v1.17.16 + xz v0.5.15 + go 1.25.12#291

Open
mayankpande88 wants to merge 1 commit into
mainfrom
security/cilium-xz-go-bump
Open

security: bump cilium v1.17.16 + xz v0.5.15 + go 1.25.12#291
mayankpande88 wants to merge 1 commit into
mainfrom
security/cilium-xz-go-bump

Conversation

@mayankpande88

Copy link
Copy Markdown
Contributor

Summary

Clears the remaining fixable CVEs in the node-agent binary after v0.1.1 (which took it 94 → 9):

  • github.com/cilium/cilium v1.17.15 → v1.17.16 (patch)
  • github.com/ulikunitz/xz v0.5.14 → v0.5.15 (patch)
  • GO_VERSION 1.25.11 → 1.25.12 (clears the residual Go stdlib CVE)

All patch-level; go mod tidy kept the graph clean (only cilium/xz moved in go.mod). CI (go vet / go test / go build) validates the CGO/eBPF build on a Linux runner.

Deferred (separate, higher-risk PR)

docker v28→v29 and prometheus v0.51→v0.311 are major bumps in the coroot fork that can affect container/metric collection — those need dedicated testing, not a patch PR.

Part of the nudgebee image-hardening effort (nudgebee/nudgebee#578).

Clears the remaining fixable CVEs in the node-agent binary after v0.1.1:
- github.com/cilium/cilium v1.17.15 -> v1.17.16 (patch)
- github.com/ulikunitz/xz v0.5.14 -> v0.5.15 (patch)
- GO_VERSION 1.25.11 -> 1.25.12 (clears the residual stdlib CVE)

Leaves docker v28->v29 and prometheus v0.51->v0.311 (major bumps) for a
separately-tested PR. CI validates the CGO/eBPF build.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the Go version in the Dockerfile and bumps the versions of github.com/cilium/cilium and github.com/ulikunitz/xz in go.mod. However, the specified Go version 1.25.12 does not exist, which will cause the Docker build to fail. Please update it to a valid version such as 1.22.12.

Comment thread Dockerfile
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant