Fix CVEs: install git-lfs from GitHub (Go 1.25), document Go versions for gosu/fzf

Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages
2026-04-10 23:30:14 +02:00 · 2026-04-10 22:18:42 +02:00
1 changed files with 19 additions and 4 deletions
@@ -20,13 +20,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    curl \
    wget \
    git \
    git-lfs \
    openssh-client \
    gnupg \
    jq \
    ripgrep \
    fd-find \
    fzf \
    tree \
    less \
    vim-tiny \
@@ -37,13 +35,30 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    && ln -s /usr/bin/fdfind /usr/local/bin/fd \
    && rm -rf /var/lib/apt/lists/*
-# ── gosu (install from GitHub for current Go version, avoids CVEs in Debian package)
+# ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)
-ARG GOSU_VERSION=1.17
+
 # gosu — privilege de-escalation (built with Go 1.24.6)
 ARG GOSU_VERSION=1.19
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
    curl -fsSL "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${ARCH}" -o /usr/local/bin/gosu && \
    chmod +x /usr/local/bin/gosu && \
    gosu --version
 # fzf — fuzzy finder (built with Go 1.23.12)
 ARG FZF_VERSION=0.71.0
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
    curl -fsSL "https://github.com/junegunn/fzf/releases/download/v${FZF_VERSION}/fzf-${FZF_VERSION}-linux_${ARCH}.tar.gz" | tar -xz -C /usr/local/bin fzf && \
    fzf --version
 # git-lfs — Git Large File Storage (built with Go 1.25)
 ARG GIT_LFS_VERSION=3.7.1
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
    curl -fsSL "https://github.com/git-lfs/git-lfs/releases/download/v${GIT_LFS_VERSION}/git-lfs-linux-${ARCH}-v${GIT_LFS_VERSION}.tar.gz" | tar -xz -C /tmp && \
    install /tmp/git-lfs-${GIT_LFS_VERSION}/git-lfs /usr/local/bin/git-lfs && \
    rm -rf /tmp/git-lfs-${GIT_LFS_VERSION} && \
    git lfs install --system && \
    git-lfs --version
 # Set locale
 RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8
Author	SHA1	Message	Date
joakimp	973e727acb	Fix CVEs: install git-lfs from GitHub (Go 1.25), document Go versions for gosu/fzf Publish Docker Image / build-and-push (push) Successful in 28m34s Details	2026-04-10 23:30:14 +02:00
joakimp	9c8a2c0169	Fix CVEs: install gosu 1.19 and fzf 0.71.0 from GitHub releases instead of Debian packages Publish Docker Image / build-and-push (push) Successful in 28m17s Details	2026-04-10 22:18:42 +02:00