chore(deps): bump generator/seed base images to clear repeatable CVEs

[davidkonigsberg]

Description

Linear ticket: Refs

Targets repeatable Critical/High CVEs flagged by Vanta / AWS ECR scans on five generator + seed containers, with a deliberately narrow diff. Each container gets bumped to a base image / toolchain version that ships the patched dependency:

• php-sdk-generator and php-model — both move off Alpine 3.20 (EOL) + PHP 8.3.12 by bumping the composer base image.
• go-seed — bumps the Go toolchain and golangci-lint to versions that vendor patched golang.org/x/crypto, google.golang.org/grpc, and stdlib.
• python-sdk-generator — moves off the EOL Node 20 line, and adds a Debian trixie security dist-upgrade step so OS-level openssl and friends are pulled in at build time.
• typescript-sdk-validator — moves off the EOL Node 20 line.

The --available flag on the apk upgrade lines is purely a cache-bust — it forces BuildKit to re-run the upgrade against current Alpine indexes on the next build, so the rebuilt images actually pick up any backported security packages that landed since the previous cache hit. No behavioral change otherwise.

Changes Made

docker/seed/Dockerfile.go:

• GO_VERSION 1.23.8 → 1.26.3 (released 2026-05-07; covers CVE-2026-27143, CVE-2025-68121, and other stdlib fixes).
• GOLANGCI_LINT_VERSION v2.10.1 → v2.12.2 (built against patched golang.org/x/crypto and google.golang.org/grpc, addressing CVE-2024-45337 and CVE-2026-33186).
• apk upgrade --no-cache → apk upgrade --no-cache --available (cache-bust on the alpine 3.23 base).

generators/php/sdk/Dockerfile:

• composer:2.7.9 → composer:2.9.7 — moves base from Alpine 3.20 (EOL) onto Alpine 3.22, and from PHP 8.3.12 onto current PHP. Clears ALPINE_LINUX_3_20, php/php:8.3.12/CVE-2024-8932, CVE-2024-11236, CVE-2025-1861.
• Same --available cache-bust on the apk upgrade line.
• New changelog stub.

generators/php/model/Dockerfile:

• composer:2.7.9 → composer:2.9.7, mirroring the php-sdk bump (this container shows the same Alpine 3.20 EOL alert and PHP 8.3.12 CVEs in Vanta).
• Same --available cache-bust on the apk upgrade line.
• New changelog stub.

generators/python/sdk/Dockerfile:

• Node multistage node:20.19.4-slim → node:22.22-bookworm-slim. Node 20 went EOL on 2026-03-24; this also clears nodejs/node:20.19.4/CVE-2025-55130 (permission-model symlink bypass).
• Adds apt-get -y --no-install-recommends dist-upgrade && apt-get -y autoremove to the existing apt-get install step. Pulls patched openssl (3.5.1-1 → 3.5.5-1~deb13u2 from trixie-security), clearing the OS-level openssl:3.5.1/CVE-2026-31789 finding.
• New changelog stub.

generators/typescript/sdk/validator/Dockerfile:

• node:20-slim → node:22.22-bookworm-slim. Same Node 20 EOL + CVE-2025-55130 rationale as python-sdk-generator. The container only runs corepack + pnpm install --ignore-scripts for cache-warming; both are fine on Node 22.
• New changelog stub.

Out of scope (will not be fixed by this PR)

• The 6 openssl/openssl:3.5.5/CVE-2026-31789 (and the rest of the April 2026 OpenSSL advisory CVEs) flagged on every Node-22 image — these are Node's bundled OpenSSL, not the OS-level package. The upstream fix in nodejs/node#62629 merged to main 2026-04-10 with lts-watch-v22.x/lts-watch-v24.x, but no released node:22.x or node:24.x ships OpenSSL 3.5.6 yet (only node:26 does). Will land here as soon as the upstream backport ships in a 22.x patch release. Note: the node:22.22-bookworm-slim introduced for python-sdk-generator and typescript-sdk-validator in this PR will start showing this finding too — it's a strict trade against the Node 20 EOL CVE it removes.
• google.golang.org/grpc:v1.78.0/CVE-2026-33186 flagged on python-seed — this is vendored inside the dockerd / containerd binaries shipped in docker:29.4.1-dind-alpine3.23. 29.4.1 is the latest published docker tag; will need to wait for upstream Docker to roll a release with patched grpc.
• gnutls28:3.8.9/CVE-2026-33845 on python-sdk-generator — Debian trixie has no fixed version yet (current candidate 3.8.9-3+deb13u2 is still flagged; only sid has the fix in 3.8.13-1). The dist-upgrade in this PR will pull whatever patched gnutls28 trixie-security ships once it lands.
• Rust toolchain stage in generators/rust/{sdk,model}/Dockerfile is on rust:1.82-alpine3.20 (Alpine 3.20 EOL). The rust:1.82 line was never published for alpine3.23, so clearing the EOL alert requires a Rust minor-version bump (1.82 → 1.95). Tracked separately to keep blast radius scoped.

Testing

• CI on this PR
• Vanta / AWS ECR re-scan against the rebuilt images — expected to clear: php-sdk and php-model ALPINE_LINUX_3_20 + 3 PHP 8.3.12 CVEs each; go-seed Go toolchain + golangci-lint dependency CVEs; python-sdk-generator Node 20.19.4 CVE + OS-level openssl 3.5.1 CVE; typescript-sdk-validator Node 20 EOL alert + CVE-2025-55130.

Reviewer checklist (riskiest items)

• composer:2.7.9 → 2.9.7 on both php-sdk and php-model — multi-minor jump on the PHP runtime. Worth a smoke test against a generated PHP SDK and a generated PHP model.
• Go 1.26.3 — released 2026-05-07. Security-driven bump; no language changes vs. 1.25.x for our use, but worth a smoke test on a generated Go SDK.
• golangci-lint v2.10.1 → v2.12.2 — v2.11.0 moved revive's package-naming rule out of var-naming into a separate (off-by-default) package-naming rule. Net effect should be fewer lint failures on generated Go SDKs, not more.
• python-sdk-generator and typescript-sdk-validator Node bump — node:22.22-bookworm-slim is already used by python-v2/sdk and python-v2/pydantic-model, so the runtime is proven. Bumping does open a new Node-bundled OpenSSL finding on these two containers; called out above.
• The dist-upgrade ordering in python-sdk-generator — runs before apt-get install ca-certificates curl git, so the install step uses freshly-updated indexes and pulls patched versions of any new transitive deps it brings in.

Link to Devin session: https://app.devin.ai/sessions/9164396908124e5d80e04a0e90f1ceca

[github-actions]

🌱 Seed Test Selector

Select languages to run seed tests for:

• Python
• TypeScript
• Java
• Go
• Ruby
• C#
• PHP
• Swift
• Rust
• OpenAPI

---

How to use: Click the ⋯ menu above → "Edit" → check the boxes you want → click "Update comment". Tests will run automatically and snapshots will be committed to this PR.

[iamnamananand996]

PHP and python looks good

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[github-actions]

SDK Generation Benchmark Results

Comparing PR branch against median of 5 nightly run(s) on main (latest: 2026-05-08T04:59:46Z).

Full benchmark table (click to expand)

Generator	Spec	main (generator)	main (E2E)	PR (generator)	Delta
go-sdk	square	124s (n=5)	274s (n=5)	123s	-1s (-0.8%)
php-sdk	square	55s (n=5)	77s (n=5)	50s	-5s (-9.1%)
python-sdk	square	127s (n=5)	230s (n=5)	128s	+1s (+0.8%)
ts-sdk	square	80s (n=5)	100s (n=5)	84s	+4s (+5.0%)

main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via fern generate). main (E2E): full customer-observable time including build/test scripts (nightly baseline, informational). Delta is computed against generator-only baseline.
⚠️ = generation exited with a non-zero exit code (timing may not reflect a successful run).
Baseline from nightly runs on main (latest: 2026-05-08T04:59:46Z). Trigger benchmark-baseline to refresh.
Last updated: 2026-05-08 15:22 UTC