From 7249070a9690f34ca299e67c49f26352710e9994 Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Tue, 4 Nov 2025 12:43:12 +0100
Subject: [PATCH 1/6] Update EntityListingIndicesLastProcessedStateVersion when
 processing transactions

---
 core-rust/state-manager/src/store/rocks_db.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/core-rust/state-manager/src/store/rocks_db.rs b/core-rust/state-manager/src/store/rocks_db.rs
index 58c575d186..fa0fdab4ab 100644
--- a/core-rust/state-manager/src/store/rocks_db.rs
+++ b/core-rust/state-manager/src/store/rocks_db.rs
@@ -637,6 +637,10 @@ impl<R: WriteableRocks> StateManagerDatabase<R> {
                     .state_changes
                     .substate_level_changes,
             );
+            db_context.cf(ExtensionsDataCf).put(
+                &ExtensionsDataKey::EntityListingIndicesLastProcessedStateVersion,
+                &transaction_bundle.state_version.to_be_bytes().to_vec(),
+            );
         }
 
         let CommittedTransactionBundle {

From 9f83ad2eaa7071db361a4a85413c6538556c57d1 Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Tue, 4 Nov 2025 13:51:04 +0100
Subject: [PATCH 2/6] Update openjdk and curl version in Dockerfile

---
 Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index eeadd6f88c..b25a72a7c5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -56,7 +56,7 @@ RUN apt-get update \
     wget=${WGET_VERSION} \
     software-properties-common=0.99.30-4.1~deb12u1 \
   && apt-get install -y --no-install-recommends \
-    openjdk-17-jdk=17.0.13+11-2~deb12u1 \
+    openjdk-17-jdk=17.0.17+10-1~deb12u1 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -126,7 +126,7 @@ RUN apt-get update \
     ca-certificates \
     build-essential=12.9 \
     # https://security-tracker.debian.org/tracker/CVE-2023-38545
-    curl=7.88.1-10+deb12u8 \
+    curl=7.88.1-10+deb12u14 \
     g++-aarch64-linux-gnu \
     g++-x86-64-linux-gnu \
     libc6-dev-arm64-cross=2.36-8cross1 \
@@ -259,9 +259,9 @@ LABEL org.opencontainers.image.authors="devops@radixdlt.com"
 # - https://packages.debian.org/bookworm/libc6
 RUN apt-get update -y \
   && apt-get -y --no-install-recommends install \
-    openjdk-17-jre-headless=17.0.13+11-2~deb12u1 \
+    openjdk-17-jre-headless=17.0.17+10-1~deb12u1 \
     # https://security-tracker.debian.org/tracker/CVE-2023-38545
-    curl=7.88.1-10+deb12u8 \
+    curl=7.88.1-10+deb12u14 \
     gettext-base=0.21-12 \
     daemontools=1:0.76-8.1 \
     # https://security-tracker.debian.org/tracker/CVE-2023-4911

From 8d135f0fd6b9851db9ca88f2e0873938716e235b Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Tue, 4 Nov 2025 13:56:13 +0100
Subject: [PATCH 3/6] Update remaining packages in Dockerfile

---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b25a72a7c5..3375b6afce 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,7 +20,7 @@ ENV DEBIAN_FRONTEND noninteractive
 
 CMD ["/bin/bash"]
 
-ARG WGET_VERSION="1.21.3-1+b2"
+ARG WGET_VERSION="1.21.3-1+deb12u1"
 ARG VERSION_BRANCH=""
 ARG VERSION_COMMIT=""
 ARG VERSION_DISPLAY=""
@@ -50,7 +50,7 @@ ENV VERSION_LAST_TAG=$VERSION_LAST_TAG
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
     docker.io=20.10.24+dfsg1-1+deb12u1 \
-    libssl-dev=3.0.15-1~deb12u1 \
+    libssl-dev=3.0.17-1~deb12u3 \
     pkg-config=1.8.1-1 \
     unzip=6.0-28 \
     wget=${WGET_VERSION} \
@@ -131,7 +131,7 @@ RUN apt-get update \
     g++-x86-64-linux-gnu \
     libc6-dev-arm64-cross=2.36-8cross1 \
     libclang-dev=1:14.0-55.7~deb12u1 \
-    libssl-dev=3.0.15-1~deb12u1 \
+    libssl-dev=3.0.17-1~deb12u3 \
     pkg-config=1.8.1-1 \
   && rm -rf /var/lib/apt/lists/*
 

From 760e5282e34c220c36df943a388b1ae80cffccc7 Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Thu, 13 Nov 2025 17:38:25 +0100
Subject: [PATCH 4/6] Update docker.io in Dockerfile

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 3375b6afce..4d776f628e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -49,7 +49,7 @@ ENV VERSION_LAST_TAG=$VERSION_LAST_TAG
 # - https://packages.debian.org/bookworm/openjdk-17-jdk
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
-    docker.io=20.10.24+dfsg1-1+deb12u1 \
+    docker.io=20.10.24+dfsg1-1+deb12u1+b2 \
     libssl-dev=3.0.17-1~deb12u3 \
     pkg-config=1.8.1-1 \
     unzip=6.0-28 \

From f09bac493940a3419f5f6eb51b2bac5301eafcf8 Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Thu, 13 Nov 2025 18:12:49 +0100
Subject: [PATCH 5/6] Update rust version in dockerfile

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 4d776f628e..f87e423822 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -138,7 +138,7 @@ RUN apt-get update \
 # We fix the version of Rust here to ensure that we can update it without having
 # issues with the caching layers containing outdated versions which aren't compatible.
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup.sh \
-  && sh rustup.sh -y --target 1.81.0-aarch64-unknown-linux-gnu 1.81.0-x86_64-unknown-linux-gnu --default-toolchain 1.81.0
+  && sh rustup.sh -y --target 1.88.0-aarch64-unknown-linux-gnu,1.88.0-x86_64-unknown-linux-gnu --default-toolchain 1.88.0
 
 RUN "$HOME/.cargo/bin/cargo" install sccache --version 0.7.4
 

From 7721da0a37d8824af99efb601bc1ba2842a3fc3c Mon Sep 17 00:00:00 2001
From: Lukasz Gasior <lukasz.gasior@rdx.works>
Date: Thu, 13 Nov 2025 19:56:26 +0100
Subject: [PATCH 6/6] Remove snyk-sbom ci job

---
 .../workflows/add-artifacts-to-release.yml    | 26 -------------------
 .github/workflows/ci.yml                      | 23 ----------------
 2 files changed, 49 deletions(-)

diff --git a/.github/workflows/add-artifacts-to-release.yml b/.github/workflows/add-artifacts-to-release.yml
index c59e77d832..b33142a137 100644
--- a/.github/workflows/add-artifacts-to-release.yml
+++ b/.github/workflows/add-artifacts-to-release.yml
@@ -201,29 +201,3 @@ jobs:
         with:
           files: |
             babylon-node-${{ needs.setup_version_properties.outputs.VERSION_TAG }}.zip
-
-  snyk-sbom:
-    if: github.event_name == 'release'
-    name: SBOM
-    runs-on: ubuntu-22.04 # Fix GLIBC
-    permissions: write-all
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-sbom'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Generate SBOM
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
-          command: sbom
-      - name: Upload SBOM
-        uses: RDXWorks-actions/action-gh-release@master
-        with:
-          files: |
-            sbom.json
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c410af801c..17ed3d7b6a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -76,29 +76,6 @@ jobs:
         with:
           args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high
           command: code test
-  snyk-sbom:
-    name: Snyk SBOM
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-      pull-requests: read
-      contents: read
-      deployments: write
-    steps:
-      - uses: RDXWorks-actions/checkout@main
-      - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main
-        with:
-          role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }}
-          app_name: 'babylon-node'
-          step_name: 'snyk-sbom'
-          secret_prefix: 'SNYK'
-          secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }}
-          parse_json: true
-      - name: Generate SBOM # check SBOM can be generated but nothing is done with it
-        uses: RDXWorks-actions/snyk-actions/gradle-jdk17@master
-        with:
-          args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json > sbom.json
-          command: sbom
   build:
     name: Unit tests and sonarqube
     runs-on: selfhosted-ubuntu-22.04-16-cores