Fix CVE-2025-68121: bump Go toolchain to 1.24.13 in local-app

The local-app Go binaries are embedded in the ide-proxy Docker image.
They were compiled with Go 1.24.9 (from the CI environment), which
contains CVE-2025-68121 (critical Go stdlib vulnerability).

Bump the toolchain directive in local-app/go.mod to go1.24.13, which
forces the Go tool to auto-download 1.24.13 regardless of the CI
environment's installed Go version.

Also add apk upgrade to the ide-proxy Dockerfile to pick up Alpine
security patches at build time (matching the proxy Dockerfile pattern).

The .devcontainer/Dockerfile Go version bump is included for dev
environment consistency but does not affect CI builds.

Co-authored-by: Ona <no-reply@ona.com>

Author: geropl

.devcontainer/Dockerfile

@@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws
     ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
     rm -rf awscliv2.zip ./aws
 
-ENV GO_VERSION=1.24.9
+ENV GO_VERSION=1.24.13
 ENV GOPATH=/root/go-packages
 ENV GOROOT=/root/go
 ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH

components/ide-proxy/Dockerfile

@@ -22,6 +22,9 @@ RUN xcaddy build v2.11.1 --output /caddy
 
 FROM caddy/caddy:2.11-alpine
 
+# Ensure latest packages are present, like security updates.
+RUN apk upgrade --no-cache
+
 COPY --from=caddy-builder /caddy /usr/bin/caddy
 COPY conf/Caddyfile /etc/caddy/Caddyfile
 COPY static /www/

components/local-app/go.mod

@@ -2,7 +2,7 @@ module github.com/gitpod-io/local-app
 
 go 1.24
 
-toolchain go1.24.3
+toolchain go1.24.13
 
 godebug tlsmlkem=0