Update Go to 1.24.13 and harden ide-proxy Dockerfile

geropl · ona-agent · geropl · commit a785ad141b3d · 2026-03-04T10:03:17.000Z
- Bump Go from 1.24.9 to 1.24.13 to fix CVE-2025-68121 (critical Go stdlib vulnerability) in all Go binaries built in CI. This was the remaining critical finding in ide-proxy:docker via the embedded local-app binaries. - Add apk upgrade to ide-proxy Dockerfile to match the proxy Dockerfile pattern and pick up Alpine security patches at build time. Co-authored-by: Ona <no-reply@ona.com>
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws
     ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
     rm -rf awscliv2.zip ./aws
 
-ENV GO_VERSION=1.24.9
+ENV GO_VERSION=1.24.13
 ENV GOPATH=/root/go-packages
 ENV GOROOT=/root/go
 ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
diff --git a/components/ide-proxy/Dockerfile b/components/ide-proxy/Dockerfile
@@ -22,6 +22,9 @@ RUN xcaddy build v2.11.1 --output /caddy
 
 FROM caddy/caddy:2.11-alpine
 
+# Ensure latest packages are present, like security updates.
+RUN apk upgrade --no-cache
+
 COPY --from=caddy-builder /caddy /usr/bin/caddy
 COPY conf/Caddyfile /etc/caddy/Caddyfile
 COPY static /www/
