feat: update compose-bin and debian

[alinashklyar]

---

Bump Docker Compose from v5.1.4 to v5.2.0

What changed in this release

The headline change is a new reconciliation algorithm ([#13830](docker#13830)) — the logic that compares observed container state against the desired state has been rewritten. The release notes include an explicit warning from the maintainers:

"If you experience any issues with a Compose workload that was previously working, please open an issue."

Other notable changes:

• Skip validation when extracting config variables ([#13831](Skip validation when extracting config variables docker/compose#13831)) — changes how config variables are parsed; could affect non-standard variable usage.
• Fix: env_file required: false now honoured for missing files ([#13848](fix(publish): honor env_file required: false for missing files docker/compose#13848))
• Fix: TTY auto-detection now probes stderr instead of stdout ([#13837](fix(progress): probe stderr (not stdout) for TTY auto-detection docker/compose#13837))
• Dep bumps: Go 1.26.4, buildkit v0.31.0, containerd v2.2.5, compose-go v2.12.1

Risk assessment

The reconciliation change is the main concern. This service runs with COMPOSE_COMPATIBILITY=true, which adds an extra layer of unpredictability — the new algorithm hasn't been widely tested against v1 compatibility mode workloads.

Everything else in the release (provider plugin rawsetenv, compose watch depends_on fix, publish fixes) doesn't apply to how this image is used.

Security Report — codefresh/compose

Note

Compared security scans:

Current image:
quay.io/codefresh/dev/compose:cr-40558-security@sha256:655ec785f3692b28e2c93580ff3abcc59053bdef3ebc0eb605b3d083c5d09fc1

Baseline:
quay.io/codefresh/compose:main@sha256:0a22f22964de1dbaddba8ce928c952d3312d8a1b85fedb49f9ef5f2fbd3130cf

Fixed CVEs: 13

🟣 Critical: 1

• CVE-2026-39834 in golang.org/x/crypto/ssh@v0.48.0 at /usr/local/bin/docker-compose

🔴 High: 5

• CVE-2026-46597 in golang.org/x/crypto/ssh@v0.48.0 at /usr/local/bin/docker-compose
• CVE-2026-53492 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose
• CVE-2026-53489 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose
• CVE-2026-53488 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose
• CVE-2026-46680 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose

🟠 Medium: 5

• CVE-2026-39882 in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.42.0 at /usr/local/bin/docker-compose
• CVE-2026-39882 in go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.42.0 at /usr/local/bin/docker-compose
• GO-2026-5547 in github.com/in-toto/in-toto-golang@v0.10.0 at /usr/local/bin/docker-compose
• CVE-2026-50195 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose
• CVE-2026-47262 in github.com/containerd/containerd/v2@v2.2.3 at /usr/local/bin/docker-compose

⚫ Unassigned: 2

• CVE-2026-27145 in crypto/x509@1.26.3 at /usr/local/bin/docker-compose
• CVE-2026-42507 in net/textproto@1.26.3 at /usr/local/bin/docker-compose

Fixed issues: 5

• Fixes CFS-13351
• Fixes CFS-13337
• Fixes CFS-13325
• Fixes CFS-13308
• Fixes CFS-13307