From 34175c8ce9475e67e0df5f6c19858741c875e706 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 12:33:12 +0000 Subject: [PATCH 1/9] chore: bump Node base images to 24.15.0 LTS for openssl April 2026 CVE fixes Co-Authored-By: David Konigsberg --- docker/seed/Dockerfile.ts | 2 +- generators/openapi/Dockerfile | 2 +- generators/python-v2/pydantic-model/Dockerfile | 2 +- generators/rust/sdk/Dockerfile | 2 +- .../unreleased/bump-node-base-image-openssl-cves.yml | 7 +++++++ generators/swift/sdk/Dockerfile | 2 +- .../unreleased/bump-node-base-image-openssl-cves.yml | 7 +++++++ .../unreleased/bump-node-base-image-openssl-cves.yml | 7 +++++++ generators/typescript/sdk/cli/Dockerfile | 2 +- 9 files changed, 27 insertions(+), 6 deletions(-) create mode 100644 generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml create mode 100644 generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml create mode 100644 generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml diff --git a/docker/seed/Dockerfile.ts b/docker/seed/Dockerfile.ts index 3bb6b224980d..550f69d05aaf 100644 --- a/docker/seed/Dockerfile.ts +++ b/docker/seed/Dockerfile.ts @@ -10,7 +10,7 @@ ENV PATH=$PNPM_HOME:$PATH # libsystemd0, libudev1, libcap2, libtasn1-6, login/passwd, etc.) are # resolved on top of the base image. RUN apt-get update \ - && apt-get -y upgrade \ + && apt-get -y --no-install-recommends dist-upgrade \ && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* diff --git a/generators/openapi/Dockerfile b/generators/openapi/Dockerfile index 5760dfa9f160..6980b85cdfd4 100644 --- a/generators/openapi/Dockerfile +++ b/generators/openapi/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22.22-alpine3.23 +FROM node:24.15.0-alpine3.23 RUN apk update && apk upgrade --no-cache \ && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx COPY dist /dist diff --git a/generators/python-v2/pydantic-model/Dockerfile b/generators/python-v2/pydantic-model/Dockerfile index 92b32aacd93a..7fca4a87919e 100644 --- a/generators/python-v2/pydantic-model/Dockerfile +++ b/generators/python-v2/pydantic-model/Dockerfile @@ -7,7 +7,7 @@ # Bundled npm globals are removed below so the npm-bundled JS dependencies (cross-spawn, glob, # minimatch, tar, brace-expansion, ip-address, diff) cannot be flagged or invoked at runtime — this # image only runs the bundled CLI directly via node. -FROM node:22.22-bookworm-slim +FROM node:24.15.0-bookworm-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ && apt-get install -y --no-install-recommends ca-certificates curl \ diff --git a/generators/rust/sdk/Dockerfile b/generators/rust/sdk/Dockerfile index 560f7ef8bd03..294f82893e2f 100644 --- a/generators/rust/sdk/Dockerfile +++ b/generators/rust/sdk/Dockerfile @@ -5,7 +5,7 @@ FROM rust:1.82-alpine3.20 AS rust RUN rustup component add rustfmt -FROM node:22.22-alpine3.23 +FROM node:24.15.0-alpine3.23 RUN apk update && apk upgrade --no-cache diff --git a/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml new file mode 100644 index 000000000000..b9686db66597 --- /dev/null +++ b/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -0,0 +1,7 @@ +- summary: | + Bump Node base image from `node:22.22-alpine3.23` to + `node:24.15.0-alpine3.23` so the rebuilt image picks up the Alpine 3.23.4 + openssl 3.5.6-r0 patch, addressing the OpenSSL April 2026 advisory CVEs + (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, + CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). + type: chore diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile index d1273d5be619..df89379ce151 100644 --- a/generators/swift/sdk/Dockerfile +++ b/generators/swift/sdk/Dockerfile @@ -1,4 +1,4 @@ -FROM node:22.22-alpine3.23 +FROM node:24.15.0-alpine3.23 RUN apk update && apk upgrade --no-cache RUN apk --no-cache add bash curl git zip diff --git a/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml new file mode 100644 index 000000000000..b9686db66597 --- /dev/null +++ b/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -0,0 +1,7 @@ +- summary: | + Bump Node base image from `node:22.22-alpine3.23` to + `node:24.15.0-alpine3.23` so the rebuilt image picks up the Alpine 3.23.4 + openssl 3.5.6-r0 patch, addressing the OpenSSL April 2026 advisory CVEs + (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, + CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). + type: chore diff --git a/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml new file mode 100644 index 000000000000..2b3d5a83b873 --- /dev/null +++ b/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -0,0 +1,7 @@ +- summary: | + Bump Node base image from `node:24.14-slim` to `node:24.15.0-slim` so the + rebuilt image picks up the Debian trixie security update for openssl + (3.5.5-1~deb13u2), addressing the OpenSSL April 2026 advisory CVEs + (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, + CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). + type: chore diff --git a/generators/typescript/sdk/cli/Dockerfile b/generators/typescript/sdk/cli/Dockerfile index 909d2787a6de..6d94aa88d930 100644 --- a/generators/typescript/sdk/cli/Dockerfile +++ b/generators/typescript/sdk/cli/Dockerfile @@ -1,4 +1,4 @@ -FROM node:24.14-slim +FROM node:24.15.0-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ From 3fe0ef5dfefbb4753dddee189431de1407252122 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 12:43:01 +0000 Subject: [PATCH 2/9] chore: revert Node major bumps; keep cache-busting tweak only Co-Authored-By: David Konigsberg --- generators/openapi/Dockerfile | 4 ++-- generators/python-v2/pydantic-model/Dockerfile | 3 ++- generators/rust/sdk/Dockerfile | 4 ++-- .../unreleased/bump-node-base-image-openssl-cves.yml | 10 +++++----- generators/swift/sdk/Dockerfile | 4 ++-- .../unreleased/bump-node-base-image-openssl-cves.yml | 10 +++++----- .../unreleased/bump-node-base-image-openssl-cves.yml | 8 ++++---- generators/typescript/sdk/cli/Dockerfile | 3 ++- 8 files changed, 24 insertions(+), 22 deletions(-) diff --git a/generators/openapi/Dockerfile b/generators/openapi/Dockerfile index 6980b85cdfd4..a88e294ee9a7 100644 --- a/generators/openapi/Dockerfile +++ b/generators/openapi/Dockerfile @@ -1,5 +1,5 @@ -FROM node:24.15.0-alpine3.23 -RUN apk update && apk upgrade --no-cache \ +FROM node:22.22-alpine3.23 +RUN apk update && apk upgrade --no-cache --available \ && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx COPY dist /dist ENTRYPOINT ["node", "--enable-source-maps", "/dist/cli.cjs", "openapi"] diff --git a/generators/python-v2/pydantic-model/Dockerfile b/generators/python-v2/pydantic-model/Dockerfile index 7fca4a87919e..c6b8561c6421 100644 --- a/generators/python-v2/pydantic-model/Dockerfile +++ b/generators/python-v2/pydantic-model/Dockerfile @@ -7,10 +7,11 @@ # Bundled npm globals are removed below so the npm-bundled JS dependencies (cross-spawn, glob, # minimatch, tar, brace-expansion, ip-address, diff) cannot be flagged or invoked at runtime — this # image only runs the bundled CLI directly via node. -FROM node:24.15.0-bookworm-slim +FROM node:22.22-bookworm-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ && apt-get install -y --no-install-recommends ca-certificates curl \ + && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* RUN rm -rf /usr/local/lib/node_modules /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack /opt/yarn-* RUN curl -LsSf https://astral.sh/ruff/0.15.7/install.sh | sh diff --git a/generators/rust/sdk/Dockerfile b/generators/rust/sdk/Dockerfile index 294f82893e2f..3093b3c9da48 100644 --- a/generators/rust/sdk/Dockerfile +++ b/generators/rust/sdk/Dockerfile @@ -5,9 +5,9 @@ FROM rust:1.82-alpine3.20 AS rust RUN rustup component add rustfmt -FROM node:24.15.0-alpine3.23 +FROM node:22.22-alpine3.23 -RUN apk update && apk upgrade --no-cache +RUN apk update && apk upgrade --no-cache --available # Update bundled npm to refresh transitive dependencies (picomatch, brace-expansion, # ip-address, etc.) that ship inside /usr/local/lib/node_modules/npm and otherwise diff --git a/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml index b9686db66597..4b06a1108bd2 100644 --- a/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ b/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -1,7 +1,7 @@ - summary: | - Bump Node base image from `node:22.22-alpine3.23` to - `node:24.15.0-alpine3.23` so the rebuilt image picks up the Alpine 3.23.4 - openssl 3.5.6-r0 patch, addressing the OpenSSL April 2026 advisory CVEs - (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, - CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). + Force a fresh `apk upgrade` in the rust-sdk container so the next image + rebuild pulls the patched openssl 3.5.6-r0 from Alpine 3.23.4, addressing + the OpenSSL April 2026 advisory CVEs (CVE-2026-31789, CVE-2026-31790, + CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, + CVE-2026-2673). type: chore diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile index df89379ce151..fe6a1d535e9f 100644 --- a/generators/swift/sdk/Dockerfile +++ b/generators/swift/sdk/Dockerfile @@ -1,6 +1,6 @@ -FROM node:24.15.0-alpine3.23 +FROM node:22.22-alpine3.23 -RUN apk update && apk upgrade --no-cache +RUN apk update && apk upgrade --no-cache --available RUN apk --no-cache add bash curl git zip RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" diff --git a/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml index b9686db66597..1e2529715357 100644 --- a/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ b/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -1,7 +1,7 @@ - summary: | - Bump Node base image from `node:22.22-alpine3.23` to - `node:24.15.0-alpine3.23` so the rebuilt image picks up the Alpine 3.23.4 - openssl 3.5.6-r0 patch, addressing the OpenSSL April 2026 advisory CVEs - (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, - CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). + Force a fresh `apk upgrade` in the swift-sdk container so the next image + rebuild pulls the patched openssl 3.5.6-r0 from Alpine 3.23.4, addressing + the OpenSSL April 2026 advisory CVEs (CVE-2026-31789, CVE-2026-31790, + CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, + CVE-2026-2673). type: chore diff --git a/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml index 2b3d5a83b873..cfc755db9a75 100644 --- a/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ b/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml @@ -1,7 +1,7 @@ - summary: | - Bump Node base image from `node:24.14-slim` to `node:24.15.0-slim` so the - rebuilt image picks up the Debian trixie security update for openssl - (3.5.5-1~deb13u2), addressing the OpenSSL April 2026 advisory CVEs - (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, + Force a fresh `apt-get dist-upgrade` in the typescript-sdk container so the + next image rebuild pulls the patched openssl 3.5.5-1~deb13u2 from the + Debian trixie security suite, addressing the OpenSSL April 2026 advisory + CVEs (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). type: chore diff --git a/generators/typescript/sdk/cli/Dockerfile b/generators/typescript/sdk/cli/Dockerfile index 6d94aa88d930..b779fc7bf6f5 100644 --- a/generators/typescript/sdk/cli/Dockerfile +++ b/generators/typescript/sdk/cli/Dockerfile @@ -1,8 +1,9 @@ -FROM node:24.15.0-slim +FROM node:24.14-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ && apt-get install -y --no-install-recommends ca-certificates git zip \ + && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" From 05767270045ef1fb961ac5e8052fc10e4ee35826 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 12:47:38 +0000 Subject: [PATCH 3/9] chore(ts-seed): keep apt-get upgrade (revert dist-upgrade) and use autoremove --purge for cache busting Co-Authored-By: David Konigsberg --- docker/seed/Dockerfile.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/seed/Dockerfile.ts b/docker/seed/Dockerfile.ts index 550f69d05aaf..9605e102fa50 100644 --- a/docker/seed/Dockerfile.ts +++ b/docker/seed/Dockerfile.ts @@ -10,8 +10,8 @@ ENV PATH=$PNPM_HOME:$PATH # libsystemd0, libudev1, libcap2, libtasn1-6, login/passwd, etc.) are # resolved on top of the base image. RUN apt-get update \ - && apt-get -y --no-install-recommends dist-upgrade \ - && apt-get -y autoremove \ + && apt-get -y upgrade \ + && apt-get -y autoremove --purge \ && rm -rf /var/lib/apt/lists/* RUN npm install -g pnpm@10.33.3 --force From 28efd19c69bce58a703033fec891afd6974f5149 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 12:51:48 +0000 Subject: [PATCH 4/9] chore(ts-seed): standardize on dist-upgrade to match pydantic-model and ts-sdk-cli Co-Authored-By: David Konigsberg --- docker/seed/Dockerfile.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/seed/Dockerfile.ts b/docker/seed/Dockerfile.ts index 9605e102fa50..550f69d05aaf 100644 --- a/docker/seed/Dockerfile.ts +++ b/docker/seed/Dockerfile.ts @@ -10,8 +10,8 @@ ENV PATH=$PNPM_HOME:$PATH # libsystemd0, libudev1, libcap2, libtasn1-6, login/passwd, etc.) are # resolved on top of the base image. RUN apt-get update \ - && apt-get -y upgrade \ - && apt-get -y autoremove --purge \ + && apt-get -y --no-install-recommends dist-upgrade \ + && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* RUN npm install -g pnpm@10.33.3 --force From ea9b5b9e971c2ea8d68be82a1b4a97a0ea62aa48 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 13:02:04 +0000 Subject: [PATCH 5/9] chore: bump composer (php-sdk) and Go/golangci-lint (go-seed) base images for CVE fixes Co-Authored-By: David Konigsberg --- docker/seed/Dockerfile.go | 6 +++--- generators/php/sdk/Dockerfile | 4 ++-- .../changes/unreleased/bump-composer-base-image-cves.yml | 8 ++++++++ 3 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 generators/php/sdk/changes/unreleased/bump-composer-base-image-cves.yml diff --git a/docker/seed/Dockerfile.go b/docker/seed/Dockerfile.go index ea94a37948a0..cd7185d57abf 100644 --- a/docker/seed/Dockerfile.go +++ b/docker/seed/Dockerfile.go @@ -12,10 +12,10 @@ FROM docker:29.4.1-dind-alpine3.23 COPY --from=wiremock-pull /wiremock.tar /wiremock.tar # Apply the latest APK security patches available for the base image -RUN apk update && apk upgrade --no-cache +RUN apk update && apk upgrade --no-cache --available # Install Go (multi-arch: supports both amd64 and arm64) -ENV GO_VERSION=1.23.8 +ENV GO_VERSION=1.26.3 RUN set -eux; \ ARCH="$(uname -m)"; \ case "${ARCH}" in \ @@ -34,7 +34,7 @@ ENV PATH="/usr/local/go/bin:${PATH}" \ RUN mkdir -p "${GOPATH}/src" "${GOPATH}/bin" # Install golangci-lint -ENV GOLANGCI_LINT_VERSION=v2.10.1 +ENV GOLANGCI_LINT_VERSION=v2.12.2 RUN wget -O- -nv https://golangci-lint.run/install.sh | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION} # Create entrypoint script to start dockerd and wait until it is ready diff --git a/generators/php/sdk/Dockerfile b/generators/php/sdk/Dockerfile index 45accd1b219a..d3d04764ebcf 100644 --- a/generators/php/sdk/Dockerfile +++ b/generators/php/sdk/Dockerfile @@ -1,5 +1,5 @@ FROM node:22.22-alpine3.23 AS node -FROM composer:2.7.9 +FROM composer:2.9.7 ENV YARN_CACHE_FOLDER=/.yarn ARG SENTRY_DSN @@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT ENV SENTRY_RELEASE=$SENTRY_RELEASE -RUN apk update && apk upgrade --no-cache +RUN apk update && apk upgrade --no-cache --available RUN apk --no-cache add bash curl git zip RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" diff --git a/generators/php/sdk/changes/unreleased/bump-composer-base-image-cves.yml b/generators/php/sdk/changes/unreleased/bump-composer-base-image-cves.yml new file mode 100644 index 000000000000..c21a552c9d06 --- /dev/null +++ b/generators/php/sdk/changes/unreleased/bump-composer-base-image-cves.yml @@ -0,0 +1,8 @@ +- summary: | + Bump the php-sdk container's `composer` base image from `composer:2.7.9` + (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP), + addressing the Alpine 3.20 EOL alert and the PHP 8.3.12 CVEs + (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and force a fresh + `apk upgrade` so the rebuilt image picks up the patched openssl 3.5.6-r0 + from Alpine 3.23.4 (CVE-2026-31789). + type: chore From 10377e69b701b61571b52899907a45ee4e264bde Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 13:18:14 +0000 Subject: [PATCH 6/9] chore: revert Node-image cache-bust changes (do not fix Node-bundled OpenSSL CVEs) Co-Authored-By: David Konigsberg --- docker/seed/Dockerfile.ts | 2 +- generators/openapi/Dockerfile | 2 +- generators/python-v2/pydantic-model/Dockerfile | 1 - generators/rust/sdk/Dockerfile | 2 +- .../unreleased/bump-node-base-image-openssl-cves.yml | 7 ------- generators/swift/sdk/Dockerfile | 2 +- .../unreleased/bump-node-base-image-openssl-cves.yml | 7 ------- .../unreleased/bump-node-base-image-openssl-cves.yml | 7 ------- generators/typescript/sdk/cli/Dockerfile | 1 - 9 files changed, 4 insertions(+), 27 deletions(-) delete mode 100644 generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml delete mode 100644 generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml delete mode 100644 generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml diff --git a/docker/seed/Dockerfile.ts b/docker/seed/Dockerfile.ts index 550f69d05aaf..3bb6b224980d 100644 --- a/docker/seed/Dockerfile.ts +++ b/docker/seed/Dockerfile.ts @@ -10,7 +10,7 @@ ENV PATH=$PNPM_HOME:$PATH # libsystemd0, libudev1, libcap2, libtasn1-6, login/passwd, etc.) are # resolved on top of the base image. RUN apt-get update \ - && apt-get -y --no-install-recommends dist-upgrade \ + && apt-get -y upgrade \ && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* diff --git a/generators/openapi/Dockerfile b/generators/openapi/Dockerfile index a88e294ee9a7..5760dfa9f160 100644 --- a/generators/openapi/Dockerfile +++ b/generators/openapi/Dockerfile @@ -1,5 +1,5 @@ FROM node:22.22-alpine3.23 -RUN apk update && apk upgrade --no-cache --available \ +RUN apk update && apk upgrade --no-cache \ && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx COPY dist /dist ENTRYPOINT ["node", "--enable-source-maps", "/dist/cli.cjs", "openapi"] diff --git a/generators/python-v2/pydantic-model/Dockerfile b/generators/python-v2/pydantic-model/Dockerfile index c6b8561c6421..92b32aacd93a 100644 --- a/generators/python-v2/pydantic-model/Dockerfile +++ b/generators/python-v2/pydantic-model/Dockerfile @@ -11,7 +11,6 @@ FROM node:22.22-bookworm-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ && apt-get install -y --no-install-recommends ca-certificates curl \ - && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* RUN rm -rf /usr/local/lib/node_modules /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/corepack /opt/yarn-* RUN curl -LsSf https://astral.sh/ruff/0.15.7/install.sh | sh diff --git a/generators/rust/sdk/Dockerfile b/generators/rust/sdk/Dockerfile index 3093b3c9da48..560f7ef8bd03 100644 --- a/generators/rust/sdk/Dockerfile +++ b/generators/rust/sdk/Dockerfile @@ -7,7 +7,7 @@ RUN rustup component add rustfmt FROM node:22.22-alpine3.23 -RUN apk update && apk upgrade --no-cache --available +RUN apk update && apk upgrade --no-cache # Update bundled npm to refresh transitive dependencies (picomatch, brace-expansion, # ip-address, etc.) that ship inside /usr/local/lib/node_modules/npm and otherwise diff --git a/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml deleted file mode 100644 index 4b06a1108bd2..000000000000 --- a/generators/rust/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ /dev/null @@ -1,7 +0,0 @@ -- summary: | - Force a fresh `apk upgrade` in the rust-sdk container so the next image - rebuild pulls the patched openssl 3.5.6-r0 from Alpine 3.23.4, addressing - the OpenSSL April 2026 advisory CVEs (CVE-2026-31789, CVE-2026-31790, - CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, - CVE-2026-2673). - type: chore diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile index fe6a1d535e9f..d1273d5be619 100644 --- a/generators/swift/sdk/Dockerfile +++ b/generators/swift/sdk/Dockerfile @@ -1,6 +1,6 @@ FROM node:22.22-alpine3.23 -RUN apk update && apk upgrade --no-cache --available +RUN apk update && apk upgrade --no-cache RUN apk --no-cache add bash curl git zip RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" diff --git a/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml deleted file mode 100644 index 1e2529715357..000000000000 --- a/generators/swift/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ /dev/null @@ -1,7 +0,0 @@ -- summary: | - Force a fresh `apk upgrade` in the swift-sdk container so the next image - rebuild pulls the patched openssl 3.5.6-r0 from Alpine 3.23.4, addressing - the OpenSSL April 2026 advisory CVEs (CVE-2026-31789, CVE-2026-31790, - CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, - CVE-2026-2673). - type: chore diff --git a/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml b/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml deleted file mode 100644 index cfc755db9a75..000000000000 --- a/generators/typescript/sdk/changes/unreleased/bump-node-base-image-openssl-cves.yml +++ /dev/null @@ -1,7 +0,0 @@ -- summary: | - Force a fresh `apt-get dist-upgrade` in the typescript-sdk container so the - next image rebuild pulls the patched openssl 3.5.5-1~deb13u2 from the - Debian trixie security suite, addressing the OpenSSL April 2026 advisory - CVEs (CVE-2026-31789, CVE-2026-31790, CVE-2026-28387, CVE-2026-28388, - CVE-2026-28389, CVE-2026-28390, CVE-2026-2673). - type: chore diff --git a/generators/typescript/sdk/cli/Dockerfile b/generators/typescript/sdk/cli/Dockerfile index b779fc7bf6f5..909d2787a6de 100644 --- a/generators/typescript/sdk/cli/Dockerfile +++ b/generators/typescript/sdk/cli/Dockerfile @@ -3,7 +3,6 @@ FROM node:24.14-slim RUN apt-get update \ && apt-get -y --no-install-recommends dist-upgrade \ && apt-get install -y --no-install-recommends ca-certificates git zip \ - && apt-get -y autoremove \ && rm -rf /var/lib/apt/lists/* RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" From bd54aea374ccac684cc6634577fa8fcefb1f4443 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 13:26:42 +0000 Subject: [PATCH 7/9] chore(python-sdk-generator): bump Node 20.19.4 -> 22.22 and dist-upgrade Debian trixie packages Co-Authored-By: David Konigsberg --- generators/python/sdk/Dockerfile | 8 ++++++-- .../bump-node-and-debian-security-patches.yml | 10 ++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 generators/python/sdk/changes/unreleased/bump-node-and-debian-security-patches.yml diff --git a/generators/python/sdk/Dockerfile b/generators/python/sdk/Dockerfile index a9767ca976d3..1ec4e5ff3880 100644 --- a/generators/python/sdk/Dockerfile +++ b/generators/python/sdk/Dockerfile @@ -1,5 +1,5 @@ # Stage 1: Copy Node.js from official image -FROM node:20.19.4-slim AS node +FROM node:22.22-bookworm-slim AS node # Stage 2: Base Python image with dependencies FROM python:3.13.7-slim AS python-base @@ -10,7 +10,11 @@ COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules RUN ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \ ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx -RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl git && rm -rf /var/lib/apt/lists/* +RUN apt-get update \ + && apt-get -y --no-install-recommends dist-upgrade \ + && apt-get install -y --no-install-recommends ca-certificates curl git \ + && apt-get -y autoremove \ + && rm -rf /var/lib/apt/lists/* RUN node --version RUN npm --version diff --git a/generators/python/sdk/changes/unreleased/bump-node-and-debian-security-patches.yml b/generators/python/sdk/changes/unreleased/bump-node-and-debian-security-patches.yml new file mode 100644 index 000000000000..f4ef5d9caa26 --- /dev/null +++ b/generators/python/sdk/changes/unreleased/bump-node-and-debian-security-patches.yml @@ -0,0 +1,10 @@ +# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json + +- summary: | + Bump the python-sdk container's Node.js stage from `node:20.19.4-slim` + (Node 20 went EOL March 24, 2026) to `node:22.22-bookworm-slim`, and + apply latest Debian trixie security updates at build time so OS-level + package CVEs are picked up. Addresses CVE-2025-55130 (Node 20.19.4 + permission-model symlink bypass) and the OS-level CVE-2026-31789 + against `openssl 3.5.1-1`. + type: chore From 08cc11066a630473bc6958827b71061d8fb3a5cd Mon Sep 17 00:00:00 2001 From: davidkonigsberg Date: Fri, 8 May 2026 13:34:33 +0000 Subject: [PATCH 8/9] chore: bump ts-sdk-validator Node 20 -> 22.22, php-model composer 2.7.9 -> 2.9.7 --- generators/php/model/Dockerfile | 4 ++-- .../unreleased/bump-php-model-composer-base-image.yml | 7 +++++++ .../changes/unreleased/bump-validator-node-base-image.yml | 6 ++++++ generators/typescript/sdk/validator/Dockerfile | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 generators/php/sdk/changes/unreleased/bump-php-model-composer-base-image.yml create mode 100644 generators/typescript/sdk/changes/unreleased/bump-validator-node-base-image.yml diff --git a/generators/php/model/Dockerfile b/generators/php/model/Dockerfile index 86d7ba17153f..9c4be0355bea 100644 --- a/generators/php/model/Dockerfile +++ b/generators/php/model/Dockerfile @@ -1,5 +1,5 @@ FROM node:22.22-alpine3.23 AS node -FROM composer:2.7.9 +FROM composer:2.9.7 ENV YARN_CACHE_FOLDER=/.yarn ARG SENTRY_DSN @@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT ENV SENTRY_RELEASE=$SENTRY_RELEASE -RUN apk update && apk upgrade --no-cache +RUN apk update && apk upgrade --no-cache --available RUN apk --no-cache add bash curl git zip RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \ git config --global user.name "fern-api" diff --git a/generators/php/sdk/changes/unreleased/bump-php-model-composer-base-image.yml b/generators/php/sdk/changes/unreleased/bump-php-model-composer-base-image.yml new file mode 100644 index 000000000000..397c85f8611c --- /dev/null +++ b/generators/php/sdk/changes/unreleased/bump-php-model-composer-base-image.yml @@ -0,0 +1,7 @@ +- summary: | + Bump the php-model container's `composer` base image from `composer:2.7.9` + (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP), + mirroring the php-sdk bump. Addresses the Alpine 3.20 EOL alert and the + PHP 8.3.12 CVEs (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and + standardizes on `apk upgrade --no-cache --available` for cache invalidation. + type: chore diff --git a/generators/typescript/sdk/changes/unreleased/bump-validator-node-base-image.yml b/generators/typescript/sdk/changes/unreleased/bump-validator-node-base-image.yml new file mode 100644 index 000000000000..a09a3d813118 --- /dev/null +++ b/generators/typescript/sdk/changes/unreleased/bump-validator-node-base-image.yml @@ -0,0 +1,6 @@ +- summary: | + Bump the typescript-sdk-validator container's `node:20-slim` base image + to `node:22.22-bookworm-slim`. Node 20 went EOL March 24, 2026, and the + container was carrying the Node 20 EOL alert plus CVE-2025-55130 + (Node 20 permission-model symlink bypass). + type: chore diff --git a/generators/typescript/sdk/validator/Dockerfile b/generators/typescript/sdk/validator/Dockerfile index 32637ccbfaf8..c30b6559b03d 100644 --- a/generators/typescript/sdk/validator/Dockerfile +++ b/generators/typescript/sdk/validator/Dockerfile @@ -1,4 +1,4 @@ -FROM node:20-slim +FROM node:22.22-bookworm-slim RUN apt-get update \ && apt-get install -y --no-install-recommends ca-certificates git \ From 95fac122ff6b2a1ca6301f7c070062311eb54133 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Fri, 8 May 2026 15:12:23 +0000 Subject: [PATCH 9/9] test(ete): bump diff.test.ts timeout 20s -> 60s to absorb CI runner load Co-Authored-By: David Konigsberg --- packages/cli/ete-tests/src/tests/diff/diff.test.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cli/ete-tests/src/tests/diff/diff.test.ts b/packages/cli/ete-tests/src/tests/diff/diff.test.ts index be50fee137bd..2dfe8e5271af 100644 --- a/packages/cli/ete-tests/src/tests/diff/diff.test.ts +++ b/packages/cli/ete-tests/src/tests/diff/diff.test.ts @@ -32,7 +32,7 @@ it("breaking", async ({ signal }) => { expect(result.stdout).toMatchSnapshot(); expect(result.exitCode).toBe(1); } -}, 20_000); +}, 60_000); it("non-breaking", async ({ signal }) => { const nonBreakingChangeDirs = await readdir(NON_BREAKING_FIXTURES_DIR, { withFileTypes: true }); @@ -50,4 +50,4 @@ it("non-breaking", async ({ signal }) => { expect(result.stdout).toMatchSnapshot(); expect(result.exitCode).toBe(0); } -}, 20_000); +}, 60_000);