chore: upgrade libxml2 to 2.13.9-r1 to address CVE-2026-6732

[brendan-kellam]

Fixes SOU-1259

Upgrades libxml2 to 2.13.9-r1 in the final runtime (runner) stage of the Docker image, addressing CVE-2026-6732 (HIGH-severity DoS via crafted XSD-validated documents). Trivy flagged the installed libxml2 2.13.9-r0 on ghcr.io/sourcebot-dev/sourcebot:main (Alpine), fixed in 2.13.9-r1.

The fix adds an explicit apk add --no-cache --upgrade "libxml2>=2.13.9-r1" alongside the existing apk commands in the runner stage.

⚠️ Not verifiable in CI without building the image — please rebuild the container and re-run Trivy to confirm libxml2 >= 2.13.9-r1.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated changelog with dependency upgrade information.

• Chores

  • Upgraded libxml2 to a newer version in the container image.

[coderabbitai]

Walkthrough

The PR upgrades the container image to include libxml2 version 2.13.9-r1 in the Dockerfile runner stage and documents this dependency upgrade in the unreleased changelog section.

Changes

Dependency Upgrade

Layer / File(s)	Summary
libxml2 upgrade in runner stage Dockerfile, CHANGELOG.md	Runner-stage apk add command upgraded to explicitly require libxml2 >=2.13.9-r1, with a corresponding changelog entry documenting the fix.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• sourcebot-dev/sourcebot#1114: Both PRs modify the Dockerfile runner-stage apk install/upgrade steps to pull patched Alpine package versions.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading libxml2 to a specific version to address a CVE, which directly aligns with the changeset modifications to both CHANGELOG.md and Dockerfile.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/cve/libxml2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 12: The CHANGELOG entry for the CVE needs to follow the repository's CVE
template: replace the current line "- Upgraded `libxml2` to `2.13.9-r1`.
[`#1284`](...)" with the exact template format "Upgraded `libxml2` to
`^2.13.9-r1`. [`#1284`]" (use the caret before the version and plain PR reference
in square brackets, no URL) and move this formatted line into the [Unreleased]
section; update the entry text that references libxml2 and PR `#1284` (the unique
symbols to locate are `libxml2`, the version `2.13.9-r1`, and PR `#1284`).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f5187c8-cfa7-4ef9-ba8e-da60e2cf0978

📥 Commits

Reviewing files that changed from the base of the PR and between 4c9dfe0 and bab5208.

📒 Files selected for processing (2)

• CHANGELOG.md
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the CVE changelog line to the required template.

Please format this entry exactly as the CVE convention so release notes stay consistent with repository rules.

Proposed change

-- Upgraded `libxml2` to `2.13.9-r1` in the container image. [`#1284`](https://github.com/sourcebot-dev/sourcebot/pull/1284)
+- Upgraded `libxml2` to `^2.13.9-r1`. [`#1284`](https://github.com/sourcebot-dev/sourcebot/pull/1284)

As per coding guidelines: CHANGELOG entry for CVE fixes should be formatted as Upgraded \` to `^x.y.z`. [#]and placed under[Unreleased]`.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- Upgraded `libxml2` to `2.13.9-r1` in the container image. [#1284](https://github.com/sourcebot-dev/sourcebot/pull/1284)
	- Upgraded `libxml2` to `^2.13.9-r1`. [`#1284`](https://github.com/sourcebot-dev/sourcebot/pull/1284)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 12, The CHANGELOG entry for the CVE needs to follow the
repository's CVE template: replace the current line "- Upgraded `libxml2` to
`2.13.9-r1`. [`#1284`](...)" with the exact template format "Upgraded `libxml2` to
`^2.13.9-r1`. [`#1284`]" (use the caret before the version and plain PR reference
in square brackets, no URL) and move this formatted line into the [Unreleased]
section; update the entry text that references libxml2 and PR `#1284` (the unique
symbols to locate are `libxml2`, the version `2.13.9-r1`, and PR `#1284`).