fern-api · davidkonigsberg · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
@@ -12,10 +12,10 @@ FROM docker:29.4.1-dind-alpine3.23
 COPY --from=wiremock-pull /wiremock.tar /wiremock.tar
 
 # Apply the latest APK security patches available for the base image
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 
 # Install Go (multi-arch: supports both amd64 and arm64)
-ENV GO_VERSION=1.23.8
+ENV GO_VERSION=1.26.3
 RUN set -eux; \
     ARCH="$(uname -m)"; \
     case "${ARCH}" in \
@@ -34,7 +34,7 @@ ENV PATH="/usr/local/go/bin:${PATH}" \
 RUN mkdir -p "${GOPATH}/src" "${GOPATH}/bin"
 
 # Install golangci-lint
-ENV GOLANGCI_LINT_VERSION=v2.10.1
+ENV GOLANGCI_LINT_VERSION=v2.12.2
 RUN wget -O- -nv https://golangci-lint.run/install.sh | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION}
 
 # Create entrypoint script to start dockerd and wait until it is ready

@@ -1,5 +1,5 @@
 FROM node:22.22-alpine3.23 AS node
-FROM composer:2.7.9
+FROM composer:2.9.7
 
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
@@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN
 ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT
 ENV SENTRY_RELEASE=$SENTRY_RELEASE
 
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 RUN apk --no-cache add bash curl git zip
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \
     git config --global user.name "fern-api"

@@ -1,5 +1,5 @@
 FROM node:22.22-alpine3.23 AS node
-FROM composer:2.7.9
+FROM composer:2.9.7
 
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
@@ -9,7 +9,7 @@ ENV SENTRY_DSN=$SENTRY_DSN
 ENV SENTRY_ENVIRONMENT=$SENTRY_ENVIRONMENT
 ENV SENTRY_RELEASE=$SENTRY_RELEASE
 
-RUN apk update && apk upgrade --no-cache
+RUN apk update && apk upgrade --no-cache --available
 RUN apk --no-cache add bash curl git zip
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \
     git config --global user.name "fern-api"

@@ -0,0 +1,8 @@
+- summary: |
+    Bump the php-sdk container's `composer` base image from `composer:2.7.9`
+    (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP),
+    addressing the Alpine 3.20 EOL alert and the PHP 8.3.12 CVEs
+    (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and force a fresh
+    `apk upgrade` so the rebuilt image picks up the patched openssl 3.5.6-r0
+    from Alpine 3.23.4 (CVE-2026-31789).
+  type: chore
@@ -0,0 +1,7 @@
+- summary: |
+    Bump the php-model container's `composer` base image from `composer:2.7.9`
+    (Alpine 3.20, PHP 8.3.12) to `composer:2.9.7` (Alpine 3.22, current PHP),
+    mirroring the php-sdk bump. Addresses the Alpine 3.20 EOL alert and the
+    PHP 8.3.12 CVEs (CVE-2024-8932, CVE-2024-11236, CVE-2025-1861), and
+    standardizes on `apk upgrade --no-cache --available` for cache invalidation.
+  type: chore
@@ -1,5 +1,5 @@
 # Stage 1: Copy Node.js from official image
-FROM node:20.19.4-slim AS node
+FROM node:22.22-bookworm-slim AS node
 
 # Stage 2: Base Python image with dependencies
 FROM python:3.13.7-slim AS python-base
@@ -10,7 +10,11 @@ COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
 RUN ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \
     ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx
 
-RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl git && rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && apt-get -y --no-install-recommends dist-upgrade \
+    && apt-get install -y --no-install-recommends ca-certificates curl git \
+    && apt-get -y autoremove \
+    && rm -rf /var/lib/apt/lists/*
 RUN node --version
 RUN npm --version
 

@@ -0,0 +1,10 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Bump the python-sdk container's Node.js stage from `node:20.19.4-slim`
+    (Node 20 went EOL March 24, 2026) to `node:22.22-bookworm-slim`, and
+    apply latest Debian trixie security updates at build time so OS-level
+    package CVEs are picked up. Addresses CVE-2025-55130 (Node 20.19.4
+    permission-model symlink bypass) and the OS-level CVE-2026-31789
+    against `openssl 3.5.1-1`.
+  type: chore
@@ -0,0 +1,6 @@
+- summary: |
+    Bump the typescript-sdk-validator container's `node:20-slim` base image
+    to `node:22.22-bookworm-slim`. Node 20 went EOL March 24, 2026, and the
+    container was carrying the Node 20 EOL alert plus CVE-2025-55130
+    (Node 20 permission-model symlink bypass).
+  type: chore
@@ -1,4 +1,4 @@
-FROM node:20-slim
+FROM node:22.22-bookworm-slim
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends ca-certificates git \

@@ -32,7 +32,7 @@ it("breaking", async ({ signal }) => {
         expect(result.stdout).toMatchSnapshot();
         expect(result.exitCode).toBe(1);
     }
-}, 20_000);
+}, 60_000);
 
 it("non-breaking", async ({ signal }) => {
     const nonBreakingChangeDirs = await readdir(NON_BREAKING_FIXTURES_DIR, { withFileTypes: true });
@@ -50,4 +50,4 @@ it("non-breaking", async ({ signal }) => {
         expect(result.stdout).toMatchSnapshot();
         expect(result.exitCode).toBe(0);
     }
-}, 20_000);
+}, 60_000);