Skip to content

Fix critical vulnerabilities in Node.js and Caddy base images#21326

Merged
geropl merged 2 commits intomainfrom
gero/clc-2225-main-build-reports-critical-vulnerabilities
Mar 4, 2026
Merged

Fix critical vulnerabilities in Node.js and Caddy base images#21326
geropl merged 2 commits intomainfrom
gero/clc-2225-main-build-reports-critical-vulnerabilities

Conversation

@geropl
Copy link
Member

@geropl geropl commented Mar 4, 2026
edited
Loading

Fixes the critical vulnerabilities reported by the main build.

Changes

Node.js 22.15.1 → 22.22.0 (server, gitpod-db, ws-manager-bridge, gitpod-web-extension)

Caddy v2.11.0-beta.2 → v2.11.1 stable (proxy, ide-proxy, all proxy plugins)

Buildkit v0.20.1-gitpod.4 → v0.20.1-gitpod.5 (image-builder-bob)

Resolves: CLC-2225

@geropl @ona-agent
Fix critical vulnerabilities in Node.js and Caddy base images
547f106 
- Update Node.js from 22.15.1 to 22.22.0 in server, gitpod-db,
  ws-manager-bridge, and gitpod-web-extension Dockerfiles.
  Fixes CVE-2025-15467 (OpenSSL) and CVE-2025-55130 (Node.js).

- Update Caddy from v2.11.0-beta.2 to v2.11.1 (stable) in proxy
  and ide-proxy Dockerfiles and all proxy plugin Go modules.
  Includes 6 security patches (CVE-2026-27585 through CVE-2026-27590).

The image-builder-bob buildkit base image (ghcr.io/gitpod-io/buildkit:v0.20.1-gitpod.4)
also has critical vulns (CVE-2025-15467, CVE-2025-22871, CVE-2025-68121) but requires
a separate rebuild of that external image.

Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl requested a review from a team as a code owner March 4, 2026 08:08
@socket-security
Copy link

socket-security bot commented Mar 4, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgolang/​github.com/​caddyserver/​caddy/​v2@​v2.11.0-beta.2 ⏵ v2.11.174 +1100 +40100100100

View full report

@geropl @ona-agent
Update buildkit base image to v0.20.1-gitpod.5
7f4fb38 
Fixes CVE-2025-15467 (OpenSSL), CVE-2025-22871 and CVE-2025-68121 (Go stdlib)
in the image-builder-bob Docker image.

Co-authored-by: Ona <no-reply@ona.com>
@geropl geropl enabled auto-merge (squash) March 4, 2026 09:56
@geropl geropl merged commit 2afdacf into main Mar 4, 2026
24 of 25 checks passed
@geropl geropl deleted the gero/clc-2225-main-build-reports-critical-vulnerabilities branch March 4, 2026 09:57
@geropl geropl mentioned this pull request Mar 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@corneliusludmann corneliusludmann corneliusludmann approved these changes

Assignees

No one assigned

Labels

team: team-enterprise

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@geropl @corneliusludmann