From 973e727acbc5edac0825079998ec5a75efe35977 Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Fri, 10 Apr 2026 23:30:14 +0200
Subject: [PATCH] Fix CVEs: install git-lfs from GitHub (Go 1.25), document Go
 versions for gosu/fzf

---
 Dockerfile | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 932e5d0..b381073 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,7 +20,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     wget \
     git \
-    git-lfs \
     openssh-client \
     gnupg \
     jq \
@@ -36,19 +35,30 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
-# ── gosu (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+# ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)
+
+# gosu — privilege de-escalation (built with Go 1.24.6)
 ARG GOSU_VERSION=1.19
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
     curl -fsSL "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${ARCH}" -o /usr/local/bin/gosu && \
     chmod +x /usr/local/bin/gosu && \
     gosu --version
 
-# ── fzf (install from GitHub to avoid CVEs in Debian's old Go-compiled package)
+# fzf — fuzzy finder (built with Go 1.23.12)
 ARG FZF_VERSION=0.71.0
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
     curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin fzf && \
     fzf --version
 
+# git-lfs — Git Large File Storage (built with Go 1.25)
+ARG GIT_LFS_VERSION=3.7.1
+RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
+    curl -fsSL "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${ARCH}-v${GIT_LFS_VERSION}.tar.gz" | tar -xz -C /tmp && \
+    install /tmp/git-lfs-${GIT_LFS_VERSION}/git-lfs /usr/local/bin/git-lfs && \
+    rm -rf /tmp/git-lfs-${GIT_LFS_VERSION} && \
+    git lfs install --system && \
+    git-lfs --version
+
 # Set locale
 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8