Skip to content

Commit ebd06e1

Browse files
fix: pin expat to >=2.8.1-r0 to address CVE-2026-45186
Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
1 parent 7c127b9 commit ebd06e1

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

Dockerfile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -178,7 +178,9 @@ ENV SOURCEBOT_LOG_LEVEL=info
178178
# ENV SOURCEBOT_TELEMETRY_DISABLED=1
179179

180180
# Configure dependencies
181-
RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \
181+
# Note: expat is pinned to >=2.8.1-r0 to address CVE-2026-45186 (libexpat
182+
# denial of service via crafted XML input).
183+
RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip "expat>=2.8.1-r0" && \
182184
apk upgrade --no-cache
183185

184186
# Remove npm (unused — we use Yarn). The Node.js base image bundles npm

0 commit comments

Comments
 (0)