Skip to content

Update Go to 1.24.13 to fix remaining critical vulnerability (CVE-2025-68121) #21327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
geropl merged 5 commits into from
Mar 4, 2026
+52 −35
Merged

Update Go to 1.24.13 to fix remaining critical vulnerability (CVE-2025-68121) #21327

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ada8491
Fix CVE-2025-68121: bump Go toolchain to 1.24.13 in local-app
geropl Mar 4, 2026
0e7c548
Pin Go 1.24.13 in CI build image to fix CVE-2025-68121
geropl Mar 4, 2026
ef9107d
fix pipeline rot
geropl Mar 4, 2026
1544040
trigger dev-environment rebuild
geropl Mar 4, 2026
ce9c416
Update dev-environment to eu.gcr.io/gitpod-dev-artifact/dev/dev-envir…
geropl Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ RUN curl -sSL "https://awscli.amazonaws.com/awscli-exe-linux-$(arch).zip" -o aws
./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update && \
rm -rf awscliv2.zip ./aws

ENV GO_VERSION=1.24.9
ENV GO_VERSION=1.24.13
ENV GOPATH=/root/go-packages
ENV GOROOT=/root/go
ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/branch-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ jobs:
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
runs-on: ubuntu-latest-16-cores
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down Expand Up @@ -135,7 +135,7 @@ jobs:
(needs.configuration.outputs.is_scheduled_run != 'true')
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
Expand Down Expand Up @@ -182,7 +182,7 @@ jobs:
ports:
- 6379:6379
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
env:
DB_HOST: "mysql"
Expand Down Expand Up @@ -405,7 +405,7 @@ jobs:
if: needs.configuration.outputs.is_scheduled_run != 'true'
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
Expand Down Expand Up @@ -458,7 +458,7 @@ jobs:
environment: branch-build
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
concurrency:
Expand Down Expand Up @@ -487,7 +487,7 @@ jobs:
environment: branch-build
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
concurrency:
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ jobs:
cancel-in-progress: ${{ needs.configuration.outputs.is_main_branch == 'false' }}
runs-on: ubuntu-latest-16-cores
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down Expand Up @@ -138,7 +138,7 @@ jobs:
(needs.configuration.outputs.is_scheduled_run != 'true')
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-infrastructure
Expand Down Expand Up @@ -185,7 +185,7 @@ jobs:
ports:
- 6379:6379
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
env:
DB_HOST: "mysql"
Expand Down Expand Up @@ -443,7 +443,7 @@ jobs:
if: needs.configuration.outputs.is_scheduled_run != 'true'
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ github.ref == 'refs/heads/main' && github.run_id || github.sha }}-install
Expand Down Expand Up @@ -496,7 +496,7 @@ jobs:
environment: main-build
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
if: needs.configuration.outputs.with_monitoring == 'true' && needs.configuration.outputs.is_scheduled_run != 'true'
concurrency:
Expand Down Expand Up @@ -525,7 +525,7 @@ jobs:
environment: main-build
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
if: needs.configuration.outputs.with_integration_tests != '' && needs.configuration.outputs.is_scheduled_run != 'true'
concurrency:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/code-nightly.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
build:
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/ide-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
name: Configuration
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
outputs:
name: ${{ steps.configuration.outputs.name }}
Expand Down Expand Up @@ -93,7 +93,7 @@ jobs:
needs: [configuration]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ needs.configuration.outputs.name }}-infrastructure
Expand Down Expand Up @@ -126,7 +126,7 @@ jobs:
needs: [configuration, infrastructure]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
volumes:
- /var/tmp:/var/tmp
Expand Down Expand Up @@ -216,7 +216,7 @@ jobs:
if: github.event.inputs.skip_delete != 'true' && always()
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/jetbrains-auto-update-template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
update-jetbrains:
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # pin@v2
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/jetbrains-integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ on:
jobs:
jetbrains-smoke-test-linux:
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
runs-on: ubuntu-latest
steps:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/preview-env-check-regressions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
needs: [configuration]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ needs.configuration.outputs.name }}-infrastructure
Expand Down Expand Up @@ -93,7 +93,7 @@ jobs:
if: ${{ needs.configuration.outputs.skip == 'false' }}
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
volumes:
- /var/tmp:/var/tmp
Expand Down Expand Up @@ -171,7 +171,7 @@ jobs:
if: always()
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/preview-env-delete.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
if: github.event.ref_type == 'branch' || github.event.inputs.name != ''
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/preview-env-gc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
name: "Find stale preview environments"
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
outputs:
names: ${{ steps.set-matrix.outputs.names }}
Expand Down Expand Up @@ -43,7 +43,7 @@ jobs:
needs: [stale]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
if: ${{ needs.stale.outputs.count > 0 }}
strategy:
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/workspace-integration-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
name: Configuration
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
outputs:
name: ${{ steps.configuration.outputs.name }}
Expand Down Expand Up @@ -126,7 +126,7 @@ jobs:
needs: [configuration]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
concurrency:
group: ${{ needs.configuration.outputs.name }}-infrastructure
Expand Down Expand Up @@ -159,7 +159,7 @@ jobs:
needs: [configuration, infrastructure]
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand All @@ -183,7 +183,7 @@ jobs:
if: inputs.skip_delete != 'true' && always()
runs-on: ubuntu-latest
container:
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
options: --user root
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
Expand Down
2 changes: 1 addition & 1 deletion .gitpod.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:gpl-npm-oidc-support-gha.42
image: eu.gcr.io/gitpod-dev-artifact/dev/dev-environment:fix-go-1-24-13-cve-2025-68121-gha.181
workspaceLocation: gitpod/gitpod-ws.code-workspace
checkoutLocation: gitpod
ports:
Expand Down
3 changes: 3 additions & 0 deletions components/ide-proxy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ RUN xcaddy build v2.11.1 --output /caddy

FROM caddy/caddy:2.11-alpine

# Ensure latest packages are present, like security updates.
RUN apk upgrade --no-cache

COPY --from=caddy-builder /caddy /usr/bin/caddy
COPY conf/Caddyfile /etc/caddy/Caddyfile
COPY static /www/
Expand Down
2 changes: 1 addition & 1 deletion components/local-app/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ module github.com/gitpod-io/local-app

go 1.24

toolchain go1.24.3
toolchain go1.24.13

godebug tlsmlkem=0

Expand Down
20 changes: 17 additions & 3 deletions dev/image/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,21 @@

FROM gitpod/workspace-gitpod-dev:latest

ENV TRIGGER_REBUILD 43
ENV TRIGGER_REBUILD 45

USER root

### Go ###
# Pin Go version explicitly to ensure all CI-built binaries use a
# non-vulnerable toolchain (CVE-2025-68121 requires >= 1.24.13).
ENV GO_VERSION=1.24.13
RUN rm -rf /usr/local/go /home/gitpod/go /home/gitpod/.cache/go-build \
&& curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar -C /usr/local -xz \
&& ln -sf /usr/local/go/bin/go /usr/bin/go \
&& ln -sf /usr/local/go/bin/gofmt /usr/bin/gofmt
ENV GOROOT=/usr/local/go
ENV PATH=/usr/local/go/bin:$PATH

### cloud_sql_proxy ###
ARG CLOUD_SQL_PROXY=/usr/local/bin/cloud_sql_proxy
RUN curl -fsSL https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 > $CLOUD_SQL_PROXY \
Expand Down Expand Up @@ -255,7 +266,7 @@ RUN brew install tmux tmuxinator \
&& brew install redis \
# Install zed & spicedb CLI
&& brew install authzed/tap/zed \
&& brew install authzed/tap/spicedb \
&& (brew install authzed/tap/spicedb || brew install authzed/tap/spicedb) \
&& brew cleanup

# Copy our own tools
Expand All @@ -273,7 +284,10 @@ ENV PREVIEW_ENV_DEV_SA_KEY_PATH=/home/gitpod/.config/gcloud/preview-environment-

# So we can parse the report.html output by leeway, and remove the output produced by this image build
# why? it's too verbose, exceeding the Github Actions summary limit
RUN go install github.com/ericchiang/pup@v0.4.0
RUN curl -fsSL https://github.com/ericchiang/pup/releases/download/v0.4.0/pup_v0.4.0_linux_amd64.zip -o /tmp/pup.zip \
&& sudo unzip -o /tmp/pup.zip -d /usr/local/bin \
&& sudo chmod +x /usr/local/bin/pup \
&& rm /tmp/pup.zip

# Install oci-tool
RUN curl -fsSL https://github.com/csweichel/oci-tool/releases/download/v0.2.0/oci-tool_0.2.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin \
Expand Down
Loading