fix(security): patch CRITICAL/HIGH CVEs in golang-adk-full and app images#2133
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates build and Python dependency constraints/lockfiles to remediate CRITICAL/HIGH CVEs found by Trivy in the image scanning workflow, targeting both the golang-adk-full image (Node dependency) and the Python “app” image (PyJWT/pyarrow).
Changes:
- Update
go/Dockerfile.fullto install patched Node packages in the pinnedsandbox-runtimebuild (addsshell-quote@1.8.4alongside existinglodash-espinning). - Bump Python workspace/package constraints for
PyJWTto>=2.13.0and add a workspace constraint forpyarrow>=23.0.1. - Regenerate
python/uv.lockto resolvepyjwtto2.13.0andpyarrowto24.0.0(with incidental dependency resolution updates likestarlette).
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| go/Dockerfile.full | Installs patched npm package versions during sandbox-runtime build to address the reported Node CVE. |
| python/packages/agentsts-core/pyproject.toml | Raises PyJWT minimum version to pick up the security fix. |
| python/packages/agentsts-adk/pyproject.toml | Raises PyJWT minimum version to pick up the security fix. |
| python/pyproject.toml | Adds workspace constraints for pyjwt and pyarrow to force patched versions in the environment. |
| python/uv.lock | Updates resolved versions (notably pyjwt and pyarrow) consistent with the new constraints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
01cce93 to
2f28943
Compare
- shell-quote (CVE-2026-9277, CRITICAL): use npm overrides in golang-adk-full Dockerfile to guarantee the patched 1.8.4 is used throughout the resolved tree, including transitive copies - PyJWT (CVE-2026-48526, HIGH): bump constraint from >=2.12.0 to >=2.13.0 in agentsts-core, agentsts-adk, and the workspace constraint-dependencies - pyarrow (CVE-2026-25087, HIGH): add workspace constraint >=23.0.1; lock resolves to 24.0.0 - starlette (CVE-2026-48818, CVE-2026-54283, HIGH): fix requires starlette 1.x which is blocked by google-adk<2 requiring starlette<1.0.0; a separate PR to upgrade google-adk to v2 is needed to fully resolve these Signed-off-by: Jaison Paul <paul.jaison@gmail.com>
2f28943 to
0a83765
Compare
|
Thanks for the detailed review — both points are valid. Opened #2138 as the follow-up:
|
Summary
Fixes CRITICAL and HIGH severity vulnerabilities detected by Trivy in the
Scan imagesCI workflow.golang-adk-full image:
shell-quoteCVE-2026-9277 (CRITICAL) — Arbitrary code execution; pin to1.8.4alongside the existinglodash-esoverride ingo/Dockerfile.fullapp image:
PyJWTCVE-2026-48526 (HIGH) — Authentication bypass via forged tokens; bump constraint from>=2.12.0→>=2.13.0inagentsts-core,agentsts-adk, and workspaceconstraint-dependencies; lock resolves to2.13.0pyarrowCVE-2026-25087 (HIGH) — Denial of Service via Use-After-Free; add workspace constraint>=23.0.1; lock resolves to24.0.0Remaining / blocked:
starletteCVE-2026-48818 + CVE-2026-54283 (HIGH) — Fix requires starlette>=1.3.1(1.x), butgoogle-adk>=1.28.1,<2pinsstarlette<1.0.0. A follow-up PR upgradingagentsts-adktogoogle-adk>=2is needed to fully close these.Changes
go/Dockerfile.fullshell-quote@1.8.4to sandbox-runtime npm overridespython/packages/agentsts-core/pyproject.tomlPyJWT>=2.12.0→>=2.13.0python/packages/agentsts-adk/pyproject.tomlPyJWT>=2.12.0→>=2.13.0python/pyproject.tomlpyjwt>=2.13.0andpyarrow>=23.0.1toconstraint-dependenciespython/uv.lock2.12.1→2.13.0, pyarrow21.0.0→24.0.0, starlette0.50.0→0.52.1Test plan
Scan imagesCI passes forgolang-adk-full(shell-quote CVE cleared)Scan imagesCI passes forapp(PyJWT + pyarrow CVEs cleared)