chore(deps): bump pgx, pin Go 1.26.2, base image to docker:29.4.1 (#706) (!1139) · Merge requests · PostgresAI / DBLab Engine

Summary

Followup to #705 (closed). Fresh trivy + govulncheck pass on master flagged additional CVEs that this batch resolves.

pgx/v5 v5.9.1 -> v5.9.2 - CVE-2026-33816 (memory-safety in pgproto3.Backend.Receive)
pin CI to golang:1.26.2(-alpine) - clears 5 stdlib CVEs in our binary (CVE-2026-32280/32281/32282/32283/33810). The golang:1.26 tag now points to 1.26.2 but pull_policy: if-not-present was reusing the cached 1.26.1 image on runners.
docker:29.4.0 -> 29.4.1 (sha256 c77e5d79) in dblab-server, dblab-cli, ci-checker, dblab-server-debug
bump Dockerfile.dblab-server-debug builder golang:1.26 -> 1.26.2

Dockerfile.dblab-server-zfs08 left alone (legacy zfs0.8 variant pinned to Alpine v3.12 repo, same as previous CVE batch).

CVE-2026-34040 + CVE-2026-33997 (github.com/docker/docker): the v1 module is no longer maintained. Fix is in github.com/moby/moby/v2 >= 2.0.0-beta.8. Migration touches ~9 import paths and the API surface changed. v2 is still beta. Reachable through init() in our code but the actual exploit conditions (Docker AuthZ plugins, plugin install with crafted privileges) don't apply to DLE.
Base-image binaries (containerd, buildkit, docker-buildx, docker-compose: grpc v1.78.0, otel/sdk v1.38.0, go-jose v4.1.3, moby/buildkit v0.27.1, moby/spdystream v0.5.0): shipped by Docker Inc. inside docker:29.4.x. Verified by scanning docker:29.4.1 directly - same CVEs. Resolves when Docker Inc. ships a rebuilt image.

Edited Apr 22, 2026 by Artyom Kartasov