Tracking issue for CVE fixes landed via !1138. ## Related MR - Merge request: https://gitlab.com/postgres-ai/database-lab/-/merge_requests/1138 ## Scope CVE sweep from the 2026-04-20 audit: - docker/cli → v29.4.0 (CVE-2025-15558) - otel/sdk, otel API, otlptrace, otlptracehttp → v1.43.0 (CVE-2026-24051, CVE-2026-39883) - grpc → v1.80.0 (supersedes CVE-2026-33186 fix in v1.79.3) - Base image bumped to `docker:29.4.0` pinned by digest `@sha256:a6dd5322747a95cd8e3207bd8d415a8fd20ec34e9c00f06dc019cbd912013489` - `apk upgrade` for musl, openssl, zlib (CVE-2026-28390, CVE-2026-40200, CVE-2026-22184) - `Dockerfile.ci-checker` aligned to `docker:29.4.0` ## Known unfixed (tracked in SECURITY.md) - `github.com/docker/docker v28.5.2+incompatible` — CVE-2026-34040 (no v29 tag; upstream moved to `github.com/moby/moby/v2`, still in beta) - CVEs in embedded base-image binaries (containerd, ctr, dockerd, compose, buildx) — pending Docker Inc rebuild of `docker:29.x` - `Dockerfile.dblab-server-zfs08` stays on `docker:27.5.1` for ZFS 0.8 compatibility on Alpine v3.12