From 9c8a2c0169a6a78cc4b785c5917984b041a90620 Mon Sep 17 00:00:00 2001 From: Joakim Persson Date: Fri, 10 Apr 2026 22:18:42 +0200 Subject: [PATCH] Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages --- Dockerfile | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3ad9fe6..932e5d0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ jq \ ripgrep \ fd-find \ - fzf \ tree \ less \ vim-tiny \ @@ -37,13 +36,19 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ && ln -s /usr/bin/fdfind /usr/local/bin/fd \ && rm -rf /var/lib/apt/lists/* -# ── gosu (install from GitHub for current Go version, avoids CVEs in Debian package) -ARG GOSU_VERSION=1.17 +# ── gosu (install from GitHub to avoid CVEs in Debian's old Go-compiled package) +ARG GOSU_VERSION=1.19 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \ curl -fsSL "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${ARCH}" -o /usr/local/bin/gosu && \ chmod +x /usr/local/bin/gosu && \ gosu --version +# ── fzf (install from GitHub to avoid CVEs in Debian's old Go-compiled package) +ARG FZF_VERSION=0.71.0 +RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \ + curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin fzf && \ + fzf --version + # Set locale RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen ENV LANG=en_US.UTF-8