chore: upgrade libxml2 to 2.13.9-r1 to address CVE-2026-6732

brendan-kellam · claude · brendan-kellam · commit bab5208e583f · 2026-06-04T17:54:30.000-07:00
Ensures the final runtime image ships a patched libxml2 (&gt;= 2.13.9-r1)
to address a HIGH-severity DoS via crafted XSD-validated documents.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 - Upgraded `protobufjs` to `^7.6.2`. [#1281](https://github.com/sourcebot-dev/sourcebot/pull/1281)
+- Upgraded `libxml2` to `2.13.9-r1` in the container image. [#1284](https://github.com/sourcebot-dev/sourcebot/pull/1284)
 
 ## [5.0.1] - 2026-06-04
 
diff --git a/Dockerfile b/Dockerfile
@@ -179,6 +179,7 @@ ENV SOURCEBOT_LOG_LEVEL=info
 
 # Configure dependencies
 RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \
+    apk add --no-cache --upgrade "libxml2>=2.13.9-r1" && \
     apk upgrade --no-cache
 
 # Remove npm (unused — we use Yarn). The Node.js base image bundles npm
