Ruigao/security update jan 2026#151
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request implements a comprehensive security update across all container images in the repository, including Ubuntu updates, Go version updates, Node.js package updates (lodash, qs, diff), and Python package updates. The changes involve updating base images, upgrading dependencies, and adding proper image pull policies to Kubernetes deployment configurations.
Changes:
- Updated Go versions across multiple Dockerfiles (targeting 1.24.x)
- Updated Node.js dependencies (lodash to 4.17.23, qs to 6.14.1, diff to 8.0.3)
- Replaced custom nginx builds with official nginx:1.29.4 base image
- Added imagePullPolicy: Always to Kubernetes deployments
- Replaced patch files with inline go mod edits for better maintainability
- Updated various tools (nerdctl, docker, frp) to newer versions
- Added proper apt cache cleanup in several Dockerfiles
Reviewed changes
Copilot reviewed 27 out of 31 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/webportal-dind/build/webportal-dind.common.dockerfile | Added multi-stage build for runc, updated Docker version, improved cleanup |
| src/webportal-dind/build/install.sh | Updated Docker version to 29.2.0, removed buildx/compose, improved cleanup |
| src/watchdog/build/watchdog.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/rest-server/yarn.lock, package.json | Updated lodash, qs, and diff dependencies |
| src/pylon/build/reverseproxy.common.dockerfile | Replaced binary download with building frp from source |
| src/pylon/build/pylon.common.dockerfile | Replaced custom nginx build with official nginx:1.29.4 image |
| src/postgresql/build/postgresql.k8s.dockerfile | Added multi-stage build for gosu binary |
| src/model-proxy/build/model-proxy.common.dockerfile | Updated Go version to 1.25.7 |
| src/job-exporter/build/job-exporter.common.dockerfile | Updated nerdctl to 2.2.1 |
| src/hivedscheduler/deploy/hivedscheduler.yaml.template | Added imagePullPolicy: Always |
| src/hivedscheduler/build/kube-scheduler.k8s.dockerfile | Updated kube-scheduler to v1.35.0 |
| src/hivedscheduler/build/hivedscheduler.k8s.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkcontroller.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkbarrier.common.dockerfile | Updated Go to 1.24.11-alpine3.21 (inconsistent with other files) |
| src/device-plugin/deploy/start.sh.template | Added imagePullPolicy modifications |
| src/device-plugin/deploy/device-plugin.yaml.template | Added imagePullPolicy: Always |
| src/device-plugin/build/k8s-rocm-device-plugin.k8s.dockerfile | Updated Go to 1.24.12-alpine, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-rocm-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/device-plugin/build/k8s-rdma-shared-dev-plugin.k8s.dockerfile | Updated Go to 1.24.13-alpine, added inline mod edits |
| src/device-plugin/build/k8s-nvidia-device-plugin.k8s.dockerfile | Replaced base image with multi-stage build using golang:1.25.6 |
| src/device-plugin/build/k8s-host-device-plugin.k8s.dockerfile | Updated Go to 1.24.13, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-host-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/database-controller/src/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/copilot-chat/build/copilot-chat.common.dockerfile | Added pip upgrade command |
| src/alert-manager/src/job-status-change-notification/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/src/alert-handler/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/build/redis-monitoring.common.dockerfile | Added multi-stage build for gosu binary |
Comments suppressed due to low confidence (1)
src/frameworkcontroller/build/frameworkbarrier.common.dockerfile:36
- Inconsistent Alpine base image version. The builder stage uses alpine3.21 but other similar files use alpine3.22. The runtime stage (line 36) also uses alpine:3.21. Both should be updated to alpine:3.22 for consistency with the frameworkcontroller.common.dockerfile and to ensure the latest security updates.
FROM golang:1.24.11-alpine3.21 as builder
ENV GOPATH=/go
ENV PROJECT_DIR=/src
ENV INSTALL_DIR=/opt/frameworkcontroller/frameworkbarrier
RUN apk update && apk add --no-cache bash && \
mkdir -p ${PROJECT_DIR} ${INSTALL_DIR}
COPY src ${PROJECT_DIR}
RUN ${PROJECT_DIR}/build/frameworkbarrier/go-build.sh && \
mv ${PROJECT_DIR}/dist/frameworkbarrier/* ${INSTALL_DIR}
FROM alpine:3.21
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
zhogu
approved these changes
Mar 30, 2026
added 18 commits
March 31, 2026 02:37
…ication & also update kube-scheduler and model-proxy
…duler and watchdog
…in in dockerfile for k8s host device plugin
* use node slim to replace the original node image * remove the dev depenedencies for alert-handler * use node slim for job-status-change-notification * use node slim for database controller * use node slim for rest server * update the dockefile for webportal to decrease the image size * remove the apt update part in webportal * fix the building errors in rest server * fix the building errors in rest server * remove the dev dependencies for rest server * fix build error for job-status-change-notification * add code to setup env for rest-server * use node slim docker image for webportal * remove the node_modules at /usr/local/lib * update NPM package for rest-server * update the package axios and minimatch for alert-handler * update node.js package version for job-status-change-notification * update node.js package version for rest-server * update node.js package qs to 6.14.2 for alert-handler, job-status-notification, database-controller and rest-server --------- Co-authored-by: Rui Gao <ruigao@microsoft.com>
hippogr
force-pushed
the
ruigao/security_update_jan_2026
branch
from
540ab1a to
9a4f0a7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Update for all the container images including the ubuntu update and other package update for node.js and Python