Skip to content

fix(security): Update plural-cli to v0.12.49 for CVE-2026-41506 remediation#3520

Closed
plural-copilot[bot] wants to merge 1 commit into
masterfrom
agent/security-update-cli-v0.12.49-1778102791303
Closed

fix(security): Update plural-cli to v0.12.49 for CVE-2026-41506 remediation#3520
plural-copilot[bot] wants to merge 1 commit into
masterfrom
agent/security-update-cli-v0.12.49-1778102791303

Conversation

@plural-copilot

@plural-copilot plural-copilot Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates the pinned plural-cli version in the console Docker image from v0.12.48 to v0.12.49 to consume the security fix from plural-cli PR #738.

Context

This console repository change is required in addition to the plural-cli fix because:

  • The console image bakes in the plural CLI at build time via Dockerfile (line 88)
  • The CLI binary is downloaded directly from plural-cli GitHub releases during the Docker build process
  • Without updating the pinned version here, the console image would continue to use the vulnerable v0.12.48 even after plural-cli PR fix: Link to PR not working when PR list is inside modal #738 is merged and released

Security Fix

plural-cli PR #738 remediates CVE-2026-41506 by updating the go-git dependency from v5.18.0 to v5.19.0. This is a minimal security patch with no behavioral changes.

Changes

  • Dockerfile: Updated ENV CLI_VERSION from v0.12.48 to v0.12.49

Dependencies

This PR depends on:

Note: The version v0.12.49 follows the existing versioning pattern and represents the next patch release after v0.12.48 (the current latest release as of 2026-04-30).

Verification

  • ✅ Dockerfile syntax validated with Docker build check
  • ✅ Change is minimal and focused (single line update)
  • ✅ No code or behavioral changes expected

🤖 Generated with Claude Code

…iation

Updates the pinned CLI version in the console image from v0.12.48 to v0.12.49
to consume the security fix from plural-cli PR #738.

This change is required because:
- The console image bakes in the plural CLI at build time via Dockerfile
- The CLI is downloaded from plural-cli GitHub releases during image build
- PR #738 updates go-git to v5.19.0 to fix CVE-2026-41506
- This console repo change ensures the image uses the patched CLI release

Depends on: pluralsh/plural-cli#738

@plural-copilot plural-copilot Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR was generated by the claude Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:

Name Details
💬 Prompt Create a focused security remediation PR in pluralsh/console to consume the patched plural CLI release in the console image....
🔗 Run history View run history

@michaeljguarino michaeljguarino added the enhancement New feature or request label May 6, 2026
@greptile-apps

greptile-apps Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bumps CLI_VERSION in the Dockerfile from v0.12.48 to v0.12.49 to pull in the upstream go-git security fix for CVE-2026-41506; it is a single-line change with no behavioral impact beyond the version update.

  • Dockerfile: ENV CLI_VERSION updated from v0.12.48 to v0.12.49; the build downloads the binary directly from GitHub Releases, so the target release must be published before this image can build successfully.

Confidence Score: 4/5

Safe to merge once v0.12.49 is confirmed available on GitHub Releases; merging before the upstream tag is published will break Docker image builds.

The change itself is minimal and correct in intent, but the Docker build stage fetches the CLI binary live from GitHub Releases using the pinned version tag. A web search at review time shows v0.12.48 as the latest published release; if v0.12.49 is not yet available when the build runs, the curl will 404 and every image build will fail.

Dockerfile line 93 — the curl download will break if v0.12.49 is not yet published to GitHub Releases.

Important Files Changed

Filename Overview
Dockerfile Single-line bump of CLI_VERSION from v0.12.48 to v0.12.49 for CVE-2026-41506; the new version should be confirmed published on GitHub Releases before merging to avoid a broken build.

Reviews (1): Last reviewed commit: "fix(security): Update plural-cli to v0.1..." | Re-trigger Greptile

Comment thread Dockerfile

ARG TARGETARCH=amd64
ENV CLI_VERSION=v0.12.48
ENV CLI_VERSION=v0.12.49

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Target release may not yet be published

A web search against the plural-cli GitHub releases page returns v0.12.48 as the latest available tag. If v0.12.49 has not been pushed to GitHub Releases at merge time, the curl on line 93 will receive a 404 and the Docker build will fail hard (the tarball URL is derived directly from CLI_VERSION). Merging before the upstream release is published would break all image builds that depend on this stage.

@michaeljguarino michaeljguarino deleted the agent/security-update-cli-v0.12.49-1778102791303 branch May 6, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants