Merge branch 'main' into feat/bump-deps-logstash91-20251009

Author: efbar

.github/chainguard/lifecycle-cve-detection-dev.sts.yaml

@@ -0,0 +1,9 @@
+issuer: https://accounts.google.com
+
+# Dev service account for testing
+# - cve-detection-sa@jml-test-chainguard-dev.iam.gserviceaccount.com 117144291088285847777
+subject_pattern: "117144291088285847777"
+
+# Allow CVE detection automation to use Melange package information.
+permissions:
+  contents: read

R-units.yaml

@@ -1,7 +1,7 @@
 package:
   name: R-units
-  version: "0.8.7"
-  epoch: 1
+  version: "1.0.0"
+  epoch: 0
   description: Measurement Units for R Vectors
   copyright:
     - license: GPL-2.0-or-later
@@ -31,7 +31,7 @@ pipeline:
     with:
       repository: https://github.com/cran/units
       tag: ${{vars.mangled-package-version}}
-      expected-commit: c26f6d1f3910716b3fae684c4022ce3f59c945ab
+      expected-commit: ad0d0bd4aa16581840121386bf796f51a140462c
 
   - uses: R/build
     with:

envoy-gateway.yaml

@@ -1,6 +1,6 @@
 package:
   name: envoy-gateway
-  version: "1.5.2"
+  version: "1.5.3"
   epoch: 0 # GHSA-jc7w-c686-c4v9
   description: Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
   copyright:
@@ -14,7 +14,7 @@ environment:
 pipeline:
   - uses: git-checkout
     with:
-      expected-commit: d0a2d3d4dcf41a1b5c1de0e1729b51b8d5cfe180
+      expected-commit: 25d158912b9474b04ab9737be6c67eb5dc9c95e0
       repository: https://github.com/envoyproxy/gateway
       tag: v${{package.version}}
 

flannel.yaml

@@ -1,7 +1,7 @@
 package:
   name: flannel
-  version: "0.27.3"
-  epoch: 0 # CVE-2025-47907
+  version: "0.27.4"
+  epoch: 1 # CVE-2025-47907
   description: flannel is a network fabric for containers, designed for Kubernetes
   copyright:
     - license: Apache-2.0
@@ -29,7 +29,12 @@ pipeline:
     with:
       repository: https://github.com/flannel-io/flannel
       tag: v${{package.version}}
-      expected-commit: b243632fbf70280bc46b949d9ea5ace5d91ef105
+      expected-commit: 20bdda0b238784fbfa623a1cf4c469645f531efa
+
+  - if: ${{build.arch}} == 'aarch64'
+    uses: patch
+    with:
+      patches: disableBrNetfilterCheck.patch
 
   - uses: go/build
     with:
@@ -112,8 +117,13 @@ test:
         sleep 3
 
         # Run flanneld in background
-        flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false > /tmp/flannel.log 2>&1 &
-        FLANNEL_PID=$!
+        if [ "${{build.arch}}" = "aarch64" ]; then
+          flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false --disable-br-netfilter-check > /tmp/flannel.log 2>&1 &
+          FLANNEL_PID=$!
+        else
+          flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false > /tmp/flannel.log 2>&1 &
+          FLANNEL_PID=$!
+        fi
 
         # Save PID to environment file
         echo "export FLANNEL_PID=$FLANNEL_PID" >> /tmp/env.sh

flannel/disableBrNetfilterCheck.patch

@@ -0,0 +1,47 @@
+From b1b4adec167ad515754061b27428449d3c9a39de Mon Sep 17 00:00:00 2001
+From: Debasish Biswas <debasishbsws.dev@gmail.com>
+Date: Thu, 9 Oct 2025 08:41:15 +0000
+Subject: [PATCH] feat: add --disable-br-netfilter-check flag for container
+ environments
+
+This change adds a new command-line flag --disable-br-netfilter-check to address
+compatibility issues in containerized environments, particularly for CI/CD pipelines test
+using Docker runners on aarch64 architecture.
+
+Signed-off-by: Debasish Biswas <debasishbsws.dev@gmail.com>
+---
+ main.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/main.go b/main.go
+index 6f40c4d2..d29ac68b 100644
+--- a/main.go
++++ b/main.go
+@@ -98,6 +98,7 @@ type CmdLineOpts struct {
+ 	blackholeRoute            bool
+ 	netConfPath               string
+ 	setNodeNetworkUnavailable bool
++	disableBrNetfilterCheck   bool
+ }
+ 
+ var (
+@@ -136,6 +137,7 @@ func init() {
+ 	flannelFlags.BoolVar(&opts.blackholeRoute, "ip-blackhole-route", false, "add blackroute route ont the node for the local podCIDR")
+ 	flannelFlags.StringVar(&opts.netConfPath, "net-config-path", "/etc/kube-flannel/net-conf.json", "path to the network configuration file")
+ 	flannelFlags.BoolVar(&opts.setNodeNetworkUnavailable, "set-node-network-unavailable", true, "set NodeNetworkUnavailable after ready")
++	flannelFlags.BoolVar(&opts.disableBrNetfilterCheck, "disable-br-netfilter-check", false, "disable br_netfilter module check (useful for Docker environments)")
+ 
+ 	log.InitFlags(nil)
+ 
+@@ -271,7 +273,7 @@ func main() {
+ 		os.Exit(1)
+ 	}
+ 
+-	if runtime.GOOS != "windows" {
++	if runtime.GOOS != "windows" && !opts.disableBrNetfilterCheck {
+ 		// From Kubernetes 1.30 kubeadm doesn't check if the br_netfilter module is loaded and in case it's missing Flannel wrongly starts
+ 		if config.EnableIPv4 {
+ 			if _, err = os.Stat("/proc/sys/net/bridge/bridge-nf-call-iptables"); os.IsNotExist(err) {
+-- 
+2.51.0
+

flyway.yaml

@@ -1,6 +1,6 @@
 package:
   name: flyway
-  version: "11.13.3"
+  version: "11.14.0"
   epoch: 0
   description: "Flyway is a database migration tool to evolve your database schema easily and reliably across all your instances."
   copyright:
@@ -37,7 +37,7 @@ pipeline:
     with:
       repository: https://github.com/flyway/flyway
       tag: flyway-${{package.version}}
-      expected-commit: c3e305df5c3473c77a78ea1bb21d97fe5080cfa0
+      expected-commit: 796bc3217a99012e51f5c666a3cbdd6c6ccc6dcb
 
   - uses: maven/pombump
     with:

grafana-alloy.yaml

@@ -1,6 +1,6 @@
 package:
   name: grafana-alloy
-  version: "1.11.0"
+  version: "1.11.1"
   epoch: 0 # CVE-2025-47910
   description: OpenTelemetry Collector distribution with programmable pipelines
   copyright:
@@ -31,7 +31,7 @@ pipeline:
     with:
       repository: https://github.com/grafana/alloy
       tag: v${{package.version}}
-      expected-commit: 7bd7f7f9a3e8262ae54c2bb4ccc491ae1d7f480e
+      expected-commit: eebd2307a1fa819556f0591f71b39ec1decdd7b3
 
   - name: Generate UI
     runs: make generate-ui

grafana-image-renderer.yaml

@@ -1,6 +1,6 @@
 package:
   name: grafana-image-renderer
-  version: "4.0.16"
+  version: "4.0.17"
   epoch: 0 # GHSA-vj76-c3g6-qr5v
   description: A Grafana backend plugin that handles rendering of panels & dashboards to PNGs using headless browser (Chromium/Chrome)
   copyright:
@@ -32,7 +32,7 @@ pipeline:
     with:
       repository: https://github.com/grafana/grafana-image-renderer
       tag: v${{package.version}}
-      expected-commit: 3998b13834d08065b507e48ae3af9aadfa85dee9
+      expected-commit: 1858c2c51347b23f43b1d288bc9222f16030e3f9
 
   - uses: patch
     with:

jitsucom-jitsu.yaml

@@ -1,7 +1,7 @@
 package:
   name: jitsucom-jitsu
   version: "2.11.0"
-  epoch: 3 # GHSA-33vc-wfww-vjfv
+  epoch: 4 # GHSA-mm7p-fcc7-pg87
   description: Jitsu is an open-source Segment alternative. Fully-scriptable data ingestion engine for modern data teams. Set-up a real-time data pipeline in minutes, not days
   copyright:
     - license: MIT

jitsucom-jitsu/consolidated-cve-remedation.patch

@@ -1,20 +1,8 @@
-From 34a809ac6aca7f8c190c36de1a05a230101a2509 Mon Sep 17 00:00:00 2001
-From: Kyle Steere <kyle.steere@chainguard.dev>
-Date: Thu, 5 Jun 2025 20:29:20 -0500
-Subject: [PATCH] consolidated cve remedation patches: CVE-2025-48387
- CVE-2025-22150 CVE-2025-27152 CVE-2025-27789 CVE-2024-53382 GHSA-fjxv-7rqg-78g4
- GHSA-xv57-4mr9-wg8v GHSA-g5qg-72qw-gw5v GHSA-4342-x723-ch2f
-
-Signed-off-by: Kyle Steere <kyle.steere@chainguard.dev>
----
- package.json | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
 diff --git a/package.json b/package.json
-index a63735238..f631cd555 100644
+index 061b7fefd..c9cbffdc7 100644
 --- a/package.json
 +++ b/package.json
-@@ -66,5 +66,14 @@
+@@ -86,5 +86,15 @@
      "services/*",
      "cli/*",
      "libs/*"
@@ -27,8 +15,7 @@ index a63735238..f631cd555 100644
 +    "tar-fs": "^2.1.3",
 +    "prismjs": "^1.30.0",
 +    "form-data": "^4.0.4",
++    "nodemailer": "^7.0.7",
 +    "next": "^15.4.7"
 +  }
  }
---
-2.43.0