Tags: buildpacks/pack
Tags
chore: add .grype.yaml to ignore unreachable docker daemon CVEs (#2582) Mirror the ignore list used by buildpacks/lifecycle for the same reasons: pack uses docker/docker as a client only, so daemon-side vulnerabilities (plugin install privilege validation, AuthZ plugin bypass) are not reachable from pack's code paths. Grype also flags two long-standing protobuf false positives that are already filtered by lifecycle. This silences the scheduled check-latest-release.yml grype scan, which currently fails on: - GHSA-pxq6-2prw-chj9 (Medium) - GHSA-x744-4wpc-v9h2 (High) Both are fixed upstream in github.com/moby/moby/v2 but not backported to the github.com/docker/docker module, so grype cannot auto-resolve them. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
chore: upgrade Go to 1.25.8 to fix stdlib CVEs (#2548) Fixes CVE-2026-25679 (High), CVE-2026-27142 (High), and CVE-2026-27139 (Low) in the Go standard library by bumping the minimum Go version to 1.25.8. Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
chore: fix security vulnerabilities in dependencies (#2539) - Bump go stdlib 1.25.6 → 1.25.7 (CVE-2025-68121 critical, CVE-2025-61732 high) - Bump github.com/chainguard-dev/kaniko v1.25.7 → v1.25.10 (GHSA-6rxq-q92g-4rmf high) Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Execution Environment RFC Implementation (#2324) * WIP - adding flag to set the CNB_EXEC_ENV Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * adding . and - to the regular expression to validate and cnn exec env Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * WIP - adding exec-env on project.toml schema verion 0.3, it is still in progress Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * fixing some lint errors Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * WIP - refacting test case Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * adding more test cases Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * adding exec-env to builder.toml Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * adding exec-env to builder.toml Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Adding unit test for exec-env in buildpack.toml Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Removing for now the platform API version validation Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Fixing unit tests Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * fixing some unit tests Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Fixing formatting issue Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Test Coverage Improvements Summary Changes Made: 1. internal/build/lifecycle_executor.go (2 lines added) - Added Platform API versions 0.14 and 0.15 to SupportedPlatformAPIVersions - This allows pack to support the new execution environment feature which requires Platform API 0.15 2. internal/build/phase_config_provider.go (1 line changed) - Updated the Platform API version check from 0.13 to 0.15 for the CNB_EXEC_ENV environment variable 3. internal/build/fakes/fake_builder.go (7 lines added) - Added WithExecutionEnvironment() helper function for tests - Allows tests to easily set the execution environment in lifecycle options 4. internal/build/phase_config_provider_test.go (41 lines added) - Added comprehensive tests for the execution environment feature: - ✅ Test that CNB_EXEC_ENV is set when Platform API >= 0.15 - ✅ Test that CNB_EXEC_ENV is NOT set when Platform API < 0.15 - Added import for "github.com/buildpacks/lifecycle/api" package Existing Test Coverage (Already in PR): 1. internal/commands/build_test.go - ✅ Tests that default exec-env is 'production' - ✅ Tests with valid characters (letters, numbers, dots, hyphens) - ✅ Tests with invalid characters (shows proper error) - ✅ Comprehensive validation tests for exec-env flag 2. builder/config_reader_test.go - ✅ Tests reading exec-env from builder configuration 3. pkg/project/project_test.go - ✅ Tests reading exec-env from project.toml (schema v0.3) - ✅ Tests for buildpack groups, pre-groups, and post-groups Test Results: - All phase config provider tests: PASSING ✅ - All build command tests: PASSING ✅ - Coverage for exec-env flag validation: COMPLETE ✅ - Coverage for CNB_EXEC_ENV environment variable: COMPLETE ✅ - Coverage for Platform API version gating: COMPLETE ✅ The test coverage for your ExecutionEnvironment feature is now comprehensive and covers: - Command-line flag validation - Environment variable setting based on Platform API version - Builder and project configuration reading - Edge cases and error conditions Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * Fixing Acceptance Tests API Platform expected versions Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> * fix: add missing api import in phase_config_provider_test Add missing import for github.com/buildpacks/lifecycle/api package required by execution environment tests that use api.MustParse(). The tests added in this branch for CNB_EXEC_ENV functionality reference api.Version and api.MustParse() but the import was missing, causing compilation errors after merging latest changes from main. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> --------- Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
fix: upgrade Go to 1.25.5 to address CVE-2025-61729 and CVE-2025-61727 ( #2501) This commit updates the Go version from 1.25.3 to 1.25.5 to fix two security vulnerabilities in the Go standard library. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Signed-off-by: Juan Bustamante <bustamantejj@gmail.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
PreviousNext