fix(security): Update plural-cli to v0.12.49 for CVE-2026-41506 remediation#3520
fix(security): Update plural-cli to v0.12.49 for CVE-2026-41506 remediation#3520plural-copilot[bot] wants to merge 1 commit into
Conversation
…iation Updates the pinned CLI version in the console image from v0.12.48 to v0.12.49 to consume the security fix from plural-cli PR #738. This change is required because: - The console image bakes in the plural CLI at build time via Dockerfile - The CLI is downloaded from plural-cli GitHub releases during image build - PR #738 updates go-git to v5.19.0 to fix CVE-2026-41506 - This console repo change ensures the image uses the patched CLI release Depends on: pluralsh/plural-cli#738
There was a problem hiding this comment.
This PR was generated by the claude Plural Agent Runtime. Here's some useful information you might want to know to evaluate the ai's perfomance:
| Name | Details |
|---|---|
| 💬 Prompt | Create a focused security remediation PR in pluralsh/console to consume the patched plural CLI release in the console image.... |
| 🔗 Run history | View run history |
Greptile SummaryThis PR bumps
Confidence Score: 4/5Safe to merge once v0.12.49 is confirmed available on GitHub Releases; merging before the upstream tag is published will break Docker image builds. The change itself is minimal and correct in intent, but the Docker build stage fetches the CLI binary live from GitHub Releases using the pinned version tag. A web search at review time shows v0.12.48 as the latest published release; if v0.12.49 is not yet available when the build runs, the curl will 404 and every image build will fail. Dockerfile line 93 — the curl download will break if v0.12.49 is not yet published to GitHub Releases.
|
| Filename | Overview |
|---|---|
| Dockerfile | Single-line bump of CLI_VERSION from v0.12.48 to v0.12.49 for CVE-2026-41506; the new version should be confirmed published on GitHub Releases before merging to avoid a broken build. |
Reviews (1): Last reviewed commit: "fix(security): Update plural-cli to v0.1..." | Re-trigger Greptile
|
|
||
| ARG TARGETARCH=amd64 | ||
| ENV CLI_VERSION=v0.12.48 | ||
| ENV CLI_VERSION=v0.12.49 |
There was a problem hiding this comment.
Target release may not yet be published
A web search against the plural-cli GitHub releases page returns v0.12.48 as the latest available tag. If v0.12.49 has not been pushed to GitHub Releases at merge time, the curl on line 93 will receive a 404 and the Docker build will fail hard (the tarball URL is derived directly from CLI_VERSION). Merging before the upstream release is published would break all image builds that depend on this stage.
Summary
This PR updates the pinned plural-cli version in the console Docker image from
v0.12.48tov0.12.49to consume the security fix from plural-cli PR #738.Context
This console repository change is required in addition to the plural-cli fix because:
Dockerfile(line 88)Security Fix
plural-cli PR #738 remediates CVE-2026-41506 by updating the
go-gitdependency from v5.18.0 to v5.19.0. This is a minimal security patch with no behavioral changes.Changes
Dockerfile: UpdatedENV CLI_VERSIONfromv0.12.48tov0.12.49Dependencies
This PR depends on:
Note: The version v0.12.49 follows the existing versioning pattern and represents the next patch release after v0.12.48 (the current latest release as of 2026-04-30).
Verification
🤖 Generated with Claude Code