chore(deps): bump deps and base image for CVE fixes

Artyom Kartasovrequested to merge
chore/cve-fixes-2026-04-20 into master

Closes #705 (closed)

CVE fixes from 2026-04-20 audit

  • bump docker/cli to v29.4.0 (CVE-2025-15558)
  • bump otel/sdk, otel API, otlptrace, otlptracehttp to v1.43.0 (CVE-2026-24051, CVE-2026-39883)
  • bump grpc to v1.80.0 (picked up transitively by go mod tidy; v1.79.3 is the advertised CVE-2026-33186 fix, v1.80.0 is a superset)
  • bump base image to docker:29.4.0 and pin by digest @sha256:a6dd5322747a95cd8e3207bd8d415a8fd20ec34e9c00f06dc019cbd912013489, for newer stdlib and internals plus reproducible supply chain
  • run apk upgrade for musl, openssl, zlib patches (CVE-2026-28390, CVE-2026-40200, CVE-2026-22184)
  • bump Dockerfile.ci-checker from docker:27.5.1 to docker:29.4.0 so the CI checker image receives the same CVE sweep

Transitive bumps pulled by go mod tidy

When aligning the OTEL family (otlptrace/otlptracehttp v1.42.0/v1.41.0 → v1.43.0), go mod tidy also bumped:

  • google.golang.org/grpc v1.79.3 → v1.80.0 (v1.79.3 already contains CVE-2026-33186; v1.80.0 is a routine minor bump)
  • golang.org/x/crypto v0.48.0 → v0.49.0
  • golang.org/x/net v0.50.0 → v0.52.0
  • golang.org/x/text v0.34.0 → v0.35.0
  • golang.org/x/mod v0.32.0 → v0.33.0
  • golang.org/x/sync v0.19.0 → v0.20.0
  • golang.org/x/sys v0.41.0 → v0.42.0
  • golang.org/x/term v0.40.0 → v0.41.0
  • google.golang.org/genproto/googleapis/{api,rpc} → 2026-04-01 snapshot

Files intentionally not bumped

  • Dockerfile.dblab-server-zfs08 — remains on docker:27.5.1 because its pinned zfs=0.8.4-r0 is only available on Alpine v3.12. Bumping the base image would break the ZFS 0.8 compatibility guarantee for users on legacy pools. The CVEs this variant carries are now tracked in SECURITY.md under "Known unfixed vulnerabilities".

Not fixed (tracked in SECURITY.md)

  • github.com/docker/docker v28.5.2+incompatible — CVE-2026-34040. This module has no v29 tag; upstream moved to github.com/moby/moby/v2, still in beta.
  • CVEs in embedded binaries of the base image (containerd, ctr, dockerd, compose, buildx) — depends on Docker Inc rebuilding docker:29.x with updated internals.
  • Dockerfile.dblab-server-zfs08 variant — see above.
Edited by Denis Morozov

Merge request reports