tetrate-ci opened a new pull request, #236: URL: https://github.com/apache/skywalking-satellite/pull/236
> **This is a TEST PR. DO NOT REVIEW or MERGE.** > This PR demonstrates the CVE remediation workflow for the satellite component as used in the Tetrate monorepo `release-1.13.x` branch. ## CVEs Fixed | CVE | Severity | Affected Component | Fix | |-----|----------|--------------------|-----| | CVE-2026-33186 | CRITICAL | google.golang.org/grpc v1.77.0 | Bumped to v1.79.3 | | CVE-2026-25679 | HIGH | stdlib v1.25.7 (golang:1.25) | Pinned golang builder to 1.25.8 | | CVE-2026-27142 | MEDIUM | stdlib v1.25.7 (golang:1.25) | Pinned golang builder to 1.25.8 | | CVE-2026-27171 | MEDIUM | zlib 1.3.1-r0 (alpine:3) | Pinned alpine:3.21, apk upgrade | | CVE-2025-60876 | MEDIUM | busybox 1.36.1-r21 (alpine:3) | Pinned alpine:3.21, apk upgrade | ## Changes - `go.mod`: Bump `google.golang.org/grpc` v1.77.0 → v1.79.3, add `toolchain go1.25.8`, bump related x/ deps - `docker/Dockerfile`: Pin builder to `golang:1.25.8`, runtime to `alpine:3.21`, add explicit `ca-certificates` ## Context The Tetrate monorepo `release-1.13.x` branch uses satellite at commit `937851e9` which contains vulnerable versions. This PR applies the equivalent fixes already present in the `main` branch commit `b2ceca4a` (merged via #233). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
