Skip to content

docker: bump golang from 1.25.10-alpine to 1.25.11-alpine#585

Merged
bgentry merged 1 commit into
masterfrom
dependabot/docker/golang-1.25.11-alpine
Jun 23, 2026
Merged

docker: bump golang from 1.25.10-alpine to 1.25.11-alpine#585
bgentry merged 1 commit into
masterfrom
dependabot/docker/golang-1.25.11-alpine

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 3, 2026

Copy link
Copy Markdown
Contributor

Bumps golang from 1.25.10-alpine to 1.25.11-alpine.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps golang from 1.25.10-alpine to 1.25.11-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.25.11-alpine
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file docker labels Jun 3, 2026

@bgentry bgentry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the Docker builder image bump from golang:1.25.10-alpine to golang:1.25.11-alpine at PR head 4147410c8034c52554db4352a234d1d7674f6584.

Scope reviewed:

  • Confirmed the PR changes only the build-go stage in Dockerfile and Dockerfile.pro; runtime alpine:3.23.4 remains unchanged.
  • Checked the pinned old/new Go image digests and upstream generated docker-library/golang source context for the 1.25.10-alpine3.23 to 1.25.11-alpine3.23 patch update.
  • Confirmed the update is an official Go patch release that includes security fixes in crypto/x509, mime, and net/textproto, plus compiler/runtime fixes.
  • Looked for trust-surface expansion in the PR diff: no new build commands, package-manager flows, secret handling, runtime commands, generated artifacts, or copied files were introduced.
  • Confirmed the existing Dockerfile.pro BuildKit secret flow is unchanged.

Local validation completed:

  • npm run lint
  • npm run test:once
  • npm run build
  • make test
  • make lint
  • docker buildx build --pull --platform linux/amd64 -f Dockerfile -t riverui-dep-review:585 .

No blocking findings. Residual risk is limited to the pro image path: I did not run Dockerfile.pro locally because it requires the private River Pro module credential, but the changed line is the same pinned Go builder image and the private-module secret flow itself did not change.

@bgentry bgentry merged commit 79f39a9 into master Jun 23, 2026
16 of 18 checks passed
@bgentry bgentry deleted the dependabot/docker/golang-1.25.11-alpine branch June 23, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docker

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant