fix: address additional CVEs and CI failures

CVE-2026-4800 (lodash, HIGH)
CVE-2026-26996 (minimatch, HIGH)
CVE-2026-27903 (minimatch, HIGH)
CVE-2026-27904 (minimatch, HIGH)
CVE-2026-34785 (rack, HIGH)
CVE-2026-34829 (rack, HIGH)
CVE-2025-15467 (alpine, CRITICAL)
OS-EOL-001 (alpine 3.20.3 end of life)

Author: loadez

bootstrapper/Dockerfile

@@ -1,6 +1,6 @@
 ARG GO_VERSION=1.24
 ARG UBUNTU_VERSION=3.17.7
-ARG ALPINE_VERSION=3.20.3
+ARG ALPINE_VERSION=3.22
 ARG BUILDER_IMAGE="golang:${GO_VERSION}"
 ARG RUNNER_IMAGE="alpine:${ALPINE_VERSION}"
 

docs/package-lock.json

@@ -55,6 +55,9 @@
     "node-forge": "1.4.0",
     "path-to-regexp": "0.1.13",
     "picomatch": "2.3.2",
+    "minimatch": "3.1.4",
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
     "serve-handler": {
       "minimatch": "3.1.4"
     },
@@ -72,6 +75,9 @@
     "node-forge": "1.4.0",
     "path-to-regexp": "0.1.13",
     "picomatch": "2.3.2",
+    "minimatch": "3.1.4",
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
     "@redocly/openapi-core/minimatch": "5.1.8",
     "sucrase/glob/minimatch": "9.0.7",
     "serve-handler/minimatch": "3.1.4",

docs/package.json

@@ -3802,13 +3802,6 @@ brace-expansion@^2.0.1:
   dependencies:
     balanced-match "^1.0.0"
 
-brace-expansion@^2.0.2:
-  version "2.0.3"
-  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-2.0.3.tgz#0493338bdd58e319b1039c67cf7ee439892c01d9"
-  integrity sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==
-  dependencies:
-    balanced-match "^1.0.0"
-
 brace-expansion@^5.0.2:
   version "5.0.4"
   resolved "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz"
@@ -7065,10 +7058,10 @@ locate-path@^7.1.0:
   dependencies:
     p-locate "^6.0.0"
 
-lodash-es@4.17.21, lodash-es@^4.17.21:
-  version "4.17.21"
-  resolved "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz"
-  integrity sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==
+lodash-es@4.17.21, lodash-es@4.18.1, lodash-es@^4.17.21:
+  version "4.18.1"
+  resolved "https://registry.npmjs.org/lodash-es/-/lodash-es-4.18.1.tgz"
+  integrity sha512-J8xewKD/Gk22OZbhpOVSwcs60zhd95ESDwezOFuA3/099925PdHJ7OFHNTGtajL3AlZkykD32HykiMo+BIBI8A==
 
 lodash.debounce@^4.0.8:
   version "4.0.8"
@@ -7090,10 +7083,10 @@ lodash.uniq@^4.5.0:
   resolved "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz"
   integrity sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==
 
-lodash@4.17.21, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21, lodash@^4.17.4:
-  version "4.17.21"
-  resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
-  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+lodash@4.17.21, lodash@4.18.1, lodash@^4.17.15, lodash@^4.17.20, lodash@^4.17.21, lodash@^4.17.4:
+  version "4.18.1"
+  resolved "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz"
+  integrity sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==
 
 longest-streak@^3.0.0:
   version "3.1.0"
@@ -8393,14 +8386,7 @@ minimalistic-assert@^1.0.0:
   resolved "https://registry.npmjs.org/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz"
   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
 
-minimatch@3.1.2:
-  version "3.1.2"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
-  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
-  dependencies:
-    brace-expansion "^1.1.7"
-
-minimatch@3.1.4:
+minimatch@3.1.2, minimatch@3.1.4, minimatch@^3.1.1, minimatch@^5.0.1, minimatch@^9.0.4:
   version "3.1.4"
   resolved "https://registry.npmjs.org/minimatch/-/minimatch-3.1.4.tgz"
   integrity sha512-twmL+S8+7yIsE9wsqgzU3E8/LumN3M3QELrBZ20OdmQ9jB2JvW5oZtBEmft84k/Gs5CG9mqtWc6Y9vW+JEzGxw==
@@ -8421,27 +8407,6 @@ minimatch@9.0.7:
   dependencies:
     brace-expansion "^5.0.2"
 
-minimatch@^3.1.1:
-  version "3.1.5"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.5.tgz#580c88f8d5445f2bd6aa8f3cadefa0de79fbd69e"
-  integrity sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==
-  dependencies:
-    brace-expansion "^1.1.7"
-
-minimatch@^5.0.1:
-  version "5.1.9"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-5.1.9.tgz#1293ef15db0098b394540e8f9f744f9fda8dee4b"
-  integrity sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==
-  dependencies:
-    brace-expansion "^2.0.1"
-
-minimatch@^9.0.4:
-  version "9.0.9"
-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-9.0.9.tgz#9b0cb9fcb78087f6fd7eababe2511c4d3d60574e"
-  integrity sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==
-  dependencies:
-    brace-expansion "^2.0.2"
-
 minimist@^1.2.0, minimist@^1.2.3:
   version "1.2.8"
   resolved "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz"

docs/yarn.lock

@@ -5,7 +5,7 @@ gem "bundler", ">= 1.8.4"
 
 gem "pg", "~> 1.1"
 gem "rails", ">= 8.0.4.1", "< 8.1"
-gem "rack", "~> 2.2.20"
+gem "rack", "~> 2.2.23"
 gem "sprockets-rails"
 
 gem "excon", "~> 0.81.0"

github_hooks/Gemfile

@@ -283,7 +283,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (2.2.22)
+    rack (2.2.23)
     rack-session (1.0.2)
       rack (< 3)
     rack-test (2.2.0)

github_hooks/Gemfile.lock

@@ -1,5 +1,5 @@
 ARG GO_VERSION=1.24
-ARG ALPINE_VERSION=3.20.3
+ARG ALPINE_VERSION=3.22
 ARG BUILDER_IMAGE="golang:${GO_VERSION}"
 ARG RUNNER_IMAGE="alpine:${ALPINE_VERSION}"