Skip to content

build: update dependencies and base images to fix CVEs#71

Merged
tembleking merged 3 commits intomainfrom
build/update-deps-fix-vulns
Mar 9, 2026
Merged

build: update dependencies and base images to fix CVEs#71
tembleking merged 3 commits intomainfrom
build/update-deps-fix-vulns

Conversation

@tembleking
Copy link
Member

@tembleking tembleking commented Mar 9, 2026
edited
Loading

Bumps Go toolchain and dependencies to pick up available security fixes.

The nixpkgs update brings Go 1.26.1 which resolves 5 stdlib CVEs in the compiled binary:

Go dependency updates:

  • mcp-go v0.44.1 → v0.45.0
  • golang.org/x/sync v0.19.0 → v0.20.0
  • golang.org/x/sys v0.41.0 → v0.42.0

The base image (RHEL 9.7) still carries 65 CVEs in "affected" status with no fixed version available upstream. Those remain unresolved by this change.

@tembleking
build: update dependencies and base images to fix CVEs
19c4fb8 
Addresses 70 vulnerabilities (65 base image + 5 Go binary) found by
Trivy in ghcr.io/sysdiglabs/sysdig-mcp-server:latest.

Base image (RHEL 9.7) CVEs addressed by nixpkgs bump:
- curl-minimal: CVE-2025-14017, CVE-2024-11053, CVE-2024-7264, CVE-2024-9681
- glib2: CVE-2025-14087, CVE-2025-14512, CVE-2026-1484, CVE-2026-1489,
         CVE-2023-32636, CVE-2025-3360, CVE-2025-7039, CVE-2026-0988, CVE-2026-1485
- glibc: CVE-2026-0915, CVE-2025-15281, CVE-2026-0861
- gnupg2: CVE-2025-68972, CVE-2022-3219, CVE-2025-30258, CVE-2026-24883
- coreutils-single: CVE-2025-5278

Go binary CVEs addressed by dependency updates:
- mcp-go v0.44.1 → v0.45.0
- golang.org/x/sync v0.19.0 → v0.20.0
- golang.org/x/sys v0.41.0 → v0.42.0
Copilot AI review requested due to automatic review settings March 9, 2026 10:50
@tembleking tembleking requested a review from a team as a code owner March 9, 2026 10:50
Copilot AI reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses 70 CVEs found by Trivy in ghcr.io/sysdiglabs/sysdig-mcp-server:latest, updating both Go binary dependencies and the Nix base image environment.

Changes:

  • Updated Go dependencies: mcp-go v0.44.1 → v0.45.0, golang.org/x/sync v0.19.0 → v0.20.0, golang.org/x/sys v0.41.0 → v0.42.0
  • Bumped nixpkgs in flake.lock to a newer revision that resolves base image CVEs in curl-minimal, glib2, glibc, gnupg2, and coreutils-single
  • Incremented the package version to 1.0.4 and updated the Nix vendor hash

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
go.mod Updated Go dependency versions for mcp-go, golang.org/x/sync, golang.org/x/sys; normalized go directive from 1.26.0 to 1.26
go.sum Updated checksums for the three upgraded Go dependencies
package.nix Bumped version to 1.0.4 and updated vendorHash to match new Go dependencies
flake.lock Updated pinned nixpkgs revision and hash to get patched base image packages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@tembleking tembleking enabled auto-merge (squash) March 9, 2026 13:45
@tembleking tembleking merged commit 0ee81ca into main Mar 9, 2026
6 checks passed
@tembleking tembleking deleted the build/update-deps-fix-vulns branch March 9, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alecron alecron alecron approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tembleking @alecron