chore(deps): bump generator/seed base images to clear repeatable CVEs (#15804)

* chore: bump Node base images to 24.15.0 LTS for openssl April 2026 CVE fixes

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore: revert Node major bumps; keep cache-busting tweak only

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore(ts-seed): keep apt-get upgrade (revert dist-upgrade) and use autoremove --purge for cache busting

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore(ts-seed): standardize on dist-upgrade to match pydantic-model and ts-sdk-cli

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore: bump composer (php-sdk) and Go/golangci-lint (go-seed) base images for CVE fixes

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore: revert Node-image cache-bust changes (do not fix Node-bundled OpenSSL CVEs)

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore(python-sdk-generator): bump Node 20.19.4 -> 22.22 and dist-upgrade Debian trixie packages

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

* chore: bump ts-sdk-validator Node 20 -> 22.22, php-model composer 2.7.9 -> 2.9.7

* test(ete): bump diff.test.ts timeout 20s -> 60s to absorb CI runner load

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: davidkonigsberg <konigsberg@buildwithfern.com>

Author: 3 people

docker/seed/Dockerfile.go

@@ -12,10 +12,10 @@ FROM docker:29.4.1-dind-alpine3.23
 COPY --from=wiremock-pull /wiremock.tar /wiremock.tar
 
 # Apply the latest APK security patches available for the base image
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 
 # Install Go (multi-arch: supports both amd64 and arm64)
-ENV GO_VERSION=1.23.8
+ENV GO_VERSION=1.26.3
 RUN set -eux; \
     ARCH="$(uname -m)"; \
     case "${ARCH}" in \
@@ -34,7 +34,7 @@ ENV PATH="/usr/local/go/bin:${PATH}" \
 RUN mkdir -p "${GOPATH}/src" "${GOPATH}/bin"
 
 # Install golangci-lint
-ENV GOLANGCI_LINT_VERSION=v2.10.1
+ENV GOLANGCI_LINT_VERSION=v2.12.2
 RUN wget -O- -nv https://golangci-lint.run/install.sh | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION}
 
 # Create entrypoint script to start dockerd and wait until it is ready

generators/php/model/Dockerfile

@@ -1,5 +1,5 @@
 FROM node:22.22-alpine3.23 AS node
-FROM composer:2.7.9
+FROM composer:2.9.7
 
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
@@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN
 ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT
 ENV SENTRY_RELEASE=$SENTRY_RELEASE
 
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 RUN apk --no-cache add bash curl git zip
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \
     git config --global user.name "fern-api"

generators/php/sdk/Dockerfile

@@ -1,5 +1,5 @@
 FROM node:22.22-alpine3.23 AS node
-FROM composer:2.7.9
+FROM composer:2.9.7
 
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
@@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN
 ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT
 ENV SENTRY_RELEASE=$SENTRY_RELEASE
 
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 RUN apk --no-cache add bash curl git zip
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \
     git config --global user.name "fern-api"

generators/php/sdk/changes/unreleased/bump-composer-base-image-cves.yml

@@ -0,0 +1,8 @@
+- summary: |
+    Bump the php-sdk container's `composer` base image from `composer:2.7.9`
+    (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP),
+    addressing the Alpine 3.20 EOL alert and the PHP 8.3.12 CVEs
+    (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and force a fresh
+    `apk upgrade` so the rebuilt image picks up the patched openssl 3.5.6-r0
+    from Alpine 3.23.4 (CVE-2026-31789).
+  type: chore

generators/php/sdk/changes/unreleased/bump-php-model-composer-base-image.yml

@@ -0,0 +1,7 @@
+- summary: |
+    Bump the php-model container's `composer` base image from `composer:2.7.9`
+    (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP),
+    mirroring the php-sdk bump. Addresses the Alpine 3.20 EOL alert and the
+    PHP 8.3.12 CVEs (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and
+    standardizes on `apk upgrade --no-cache --available` for cache invalidation.
+  type: chore

generators/python/sdk/Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: Copy Node.js from official image
-FROM node:20.19.4-slim AS node
+FROM node:22.22-bookworm-slim AS node
 
 # Stage 2: Base Python image with dependencies
 FROM python:3.13.7-slim AS python-base
@@ -10,7 +10,11 @@ COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
 RUN ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \
     ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx
 
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl git && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get -y --no-install-recommends dist-upgrade \
+    && apt-get install -y --no-install-recommends ca-certificates curl git \
+    && apt-get -y autoremove \
+    && rm -rf /var/lib/apt/lists/*
 RUN node --version
 RUN npm --version
 

generators/python/sdk/changes/unreleased/bump-node-and-debian-security-patches.yml

@@ -0,0 +1,10 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Bump the python-sdk container's Node.js stage from `node:20.19.4-slim`
+    (Node 20 went EOL March 24, 2026) to `node:22.22-bookworm-slim`, and
+    apply latest Debian trixie security updates at build time so OS-level
+    package CVEs are picked up. Addresses CVE-2025-55130 (Node 20.19.4
+    permission-model symlink bypass) and the OS-level CVE-2026-31789
+    against `openssl 3.5.1-1`.
+  type: chore

generators/typescript/sdk/changes/unreleased/bump-validator-node-base-image.yml

@@ -0,0 +1,6 @@
+- summary: |
+    Bump the typescript-sdk-validator container's `node:20-slim` base image
+    to `node:22.22-bookworm-slim`. Node 20 went EOL March 24, 2026, and the
+    container was carrying the Node 20 EOL alert plus CVE-2025-55130
+    (Node 20 permission-model symlink bypass).
+  type: chore

generators/typescript/sdk/validator/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-slim
+FROM node:22.22-bookworm-slim
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends ca-certificates git \

packages/cli/ete-tests/src/tests/diff/diff.test.ts

@@ -32,7 +32,7 @@ it("breaking", async ({ signal }) => {
         expect(result.stdout).toMatchSnapshot();
         expect(result.exitCode).toBe(1);
     }
-}, 20_000);
+}, 60_000);
 
 it("non-breaking", async ({ signal }) => {
     const nonBreakingChangeDirs = await readdir(NON_BREAKING_FIXTURES_DIR, { withFileTypes: true });
@@ -50,4 +50,4 @@ it("non-breaking", async ({ signal }) => {
         expect(result.stdout).toMatchSnapshot();
         expect(result.exitCode).toBe(0);
     }
-}, 20_000);
+}, 60_000);