[pull] main from gitpod-io:main#375
Open
pull[bot] wants to merge 4117 commits into
Open
Conversation
…t use deepmerge but overwrite if set) (#20646) Tool: gitpod/catfood.gitpod.cloud
Tool: gitpod/catfood.gitpod.cloud
… fetching (#20649) Tool: gitpod/catfood.gitpod.cloud
Tool: gitpod/catfood.gitpod.cloud
…#20652) * [node-labeler] Refactor node labeling to use taints instead of labels * [agent-smith] Add toleration to daemonset * Add workspace component tolerations to various Gitpod components if it running in Full installation * Apply suggestions from code review Co-authored-by: Kyle Brennan <kyle@gitpod.io> * Update components/node-labeler/cmd/run.go Co-authored-by: Kyle Brennan <kyle@gitpod.io> --------- Co-authored-by: Kyle Brennan <kyle@gitpod.io>
…LB pick" (#20637) * [dev] Bump grpc/grpc-js 1.10.8 -> 1.12.6 and authzed/authzed-node 0.15.0 -> 1.2.2 Tool: gitpod/catfood.gitpod.cloud * [server] Streamline spicedb gRPC client usage and creation options - instead of doing retries on two levels, rely on the gRPC-level retries - to mitigate the loss of insights, introduce createDebugLogInterceptor - client options: use sane defaults derived from the documentation instead of the excessive ones we had in place before - use "waitForReady" option: it should a) make our calls for responsive on re-connects, while b) - because we keep re-trying on DEADLINE_EXCEEDED - should be as reliable as before Tool: gitpod/catfood.gitpod.cloud * [protocol] Centralize grpc.isConnectionAlive Tool: gitpod/catfood.gitpod.cloud * [server] SpiceDB client: retry with new client on "Waiting for LB pick" error Tool: gitpod/catfood.gitpod.cloud
* [server] Introduce ReadinessController and probe at /ready Tool: gitpod/catfood.gitpod.cloud * [server] Move /live and /ready endpoints to a separate express app and port Tool: gitpod/catfood.gitpod.cloud * [memory-bank] task-related learnings Tool: gitpod/catfood.gitpod.cloud * [server] Introduce `server_readiness_probe` feature flag so we can disable the ReadinessProbe if required Tool: gitpod/catfood.gitpod.cloud * docs: formalize Product Requirements Document workflow - Add PRD workflow to systemPatterns.md as a standardized development process - Update .clinerules with instructions to follow the PRD workflow - Update activeContext.md and progress.md to reference the new workflow This formalizes the process we used for implementing the server readiness probe feature. Tool: gitpod/catfood.gitpod.cloud * [server] ReadinessProbe: add redis as dependency Tool: gitpod/catfood.gitpod.cloud * review comments Tool: gitpod/catfood.gitpod.cloud * [dev] Remove outdated gopls config Tool: gitpod/catfood.gitpod.cloud * [server] Fix import Tool: gitpod/catfood.gitpod.cloud
…tupProbe (#20672) Tool: gitpod/catfood.gitpod.cloud
* [server] Move /ready to /startup, and rename code to StartupController (because it's used by the StartupProbe) Tool: gitpod/catfood.gitpod.cloud * [server] Introduce special /ready handler that only returns "false" during the shutdown phase Tool: gitpod/catfood.gitpod.cloud
Tool: gitpod/catfood.gitpod.cloud
* Update development dependencies * Do not update libseccomp * Fix libseccomp
* Update dev image * Fix build * Do not update libseccomp
* Bump docker compose Tool: gitpod/catfood.gitpod.cloud * Bump docker Tool: gitpod/catfood.gitpod.cloud * Oops Tool: gitpod/catfood.gitpod.cloud * Fix build Tool: gitpod/catfood.gitpod.cloud
* Update runc to v1.2.6 and gcloud to v515.0.0 * Use correct package name --------- Co-authored-by: Christian Weichel <chris@gitpod.io>
Tool: gitpod/catfood.gitpod.cloud
* Bump golang.org/x/crypto * Don't bump toolchain * go mod tidy * go mod tidy * Fix proxy build
* [image-builder-bob] bump up buildkit Tool: gitpod/catfood.gitpod.cloud * add ghcr login Tool: gitpod/catfood.gitpod.cloud
…VEs (#20692) Tool: gitpod/catfood.gitpod.cloud
* Updating Go dependency: Docker and Git to fix CVE Tool: gitpod/catfood.gitpod.cloud * [image-builder-bob] Pin OpenTelemetry dependencies to compatible versions Tool: gitpod/catfood.gitpod.cloud
Tool: gitpod/catfood.gitpod.cloud
Tool: gitpod/catfood.gitpod.cloud
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
pup v0.4.0 (2017) fails to compile with modern Go versions. Download the pre-built binary from GitHub releases instead, matching the approach already used in dev/image/Dockerfile. Co-authored-by: Ona <no-reply@ona.com>
Update Go dependencies across all components to address critical vulnerabilities detected by the daily scheduled scan (Build #34330). Key dependency updates: - google.golang.org/grpc v1.65.0 → v1.79.3 Fixes CVE-2026-33186 (CVSS 9.1): authorization bypass via malformed :path headers missing leading slash could bypass path-based deny rules in interceptors like grpc/authz. - google.golang.org/protobuf v1.34.2 → v1.36.10 Required by grpc v1.79.3. - golang.org/x/net v0.26.0/v0.35.0 → v0.48.0 Fixes multiple HTML parsing DoS vulnerabilities (CVE-2024-45338, CVE-2025-58190, CVE-2025-47911). - github.com/containerd/containerd v1.6.36 → v1.6.39, v1.7.2 → v1.7.30 Fixes CVE-2024-40635 (integer overflow in User ID handling) and CVE-2024-25621 (local privilege escalation via CRI directory perms). - github.com/golang-jwt/jwt/v5 v5.0.0/v5.2.1 → v5.2.2 Fixes CVE-2025-30204 (CVSS 8.7): DoS via excessive memory allocation during JWT header parsing. - github.com/go-jose/go-jose/v3 v3.0.0 → v3.0.4 Fixes CVE-2025-27144: DoS via crafted JOSE parsing input. - github.com/hashicorp/go-retryablehttp v0.7.0-v0.7.5 → v0.7.7 Fixes CVE-2024-41110: basic auth credentials leaked to log files. Also updates transitive dependencies pulled in by the above: - golang.org/x/sys, golang.org/x/text, golang.org/x/sync - google.golang.org/genproto/googleapis/rpc - go.opentelemetry.io/otel (pinned v1.39.0 in image-builder-bob) Not addressed in this PR (requires code changes): - github.com/opencontainers/runc v1.1.14 → v1.2.x: API breaking change in libcontainer/cgroups/ebpf (functions made unexported). Needs code migration in ws-daemon/pkg/cgroup/plugin_fuse_v2.go. - github.com/dgrijalva/jwt-go: deprecated library, needs migration to github.com/golang-jwt/jwt/v5. Fixes: CLC-2235 Co-authored-by: Ona <no-reply@ona.com>
- local-app: Replace deprecated github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt/v5. The API is compatible — only the import path changes. - spicedb/codegen: Upgrade authzed/spicedb v1.24.0 → v1.44.0 and google.golang.org/grpc v1.56.2 → v1.79.3 to fix CVE-2026-33186. Co-authored-by: Ona <no-reply@ona.com>
The CI build failed because dev/gp-gcloud and dev/gpctl were still on grpc v1.65.0 while their lib dependencies were updated. Update all remaining Go modules in dev/ and test/ to grpc v1.79.3. Co-authored-by: Ona <no-reply@ona.com>
Captures the scanning, triage, remediation, and validation workflow for CVEs in this monorepo. Covers both the fast local path (grype) and the CI path (leeway sbom), multi-module Go dependency updates, suppression mechanisms, and PR conventions. Co-authored-by: Ona <no-reply@ona.com>
The installer uses replace directives pointing to local component directories. When those components' dependencies were updated (grpc, protobuf, x/net, etc.), the installer's go.sum became stale, causing the linter's type checker to fail to resolve packages — which surfaced as cascading 'undefined' errors in CI. Co-authored-by: Ona <no-reply@ona.com>
The jwt import was placed before gitpod-io imports, violating gofmt's lexicographic ordering requirement. Co-authored-by: Ona <no-reply@ona.com>
Caddy (GHSA-p77j-4mvh-x3m3, GHSA-q4r8-xm5f-56gw): - dashboard: upgrade xcaddy build from v2.11.0-beta.2 to v2.11.2, pin smallstep/certificates to v0.30.1 via --replace - ide-proxy: upgrade xcaddy build from v2.11.1 to v2.11.2, pin smallstep/certificates to v0.30.1, align base image to 2.11.2-alpine - proxy: pin smallstep/certificates to v0.30.1 via --replace cloud_sql_proxy (GHSA-p77j-4mvh-x3m3): - gitpod-db: upgrade from v1.37.6 (grpc v1.71.0) to v1.37.14 (grpc v1.79.2) Not addressed (requires rebuilding external forks): - docker-compose: gitpod-io/compose v2.34.0-gitpod.1 (grpc v1.71.0) - buildkit: ghcr.io/gitpod-io/buildkit:v0.20.1-gitpod.5 (grpc v1.69.4) Co-authored-by: Ona <no-reply@ona.com>
The gitpod-io/compose fork's only change — reading MTU from ceth0 to set it on compose-created networks — has been broken since Feb 2023 when the workspace interface was renamed from ceth0 to eth0 (40830a8). The MTU override has been silently skipped for 3+ years. Instead of maintaining the fork, propagate MTU to compose-created networks via dockerd's --default-network-opt flag (supported since Docker 27.0; we ship 27.5.1). docker-up already reads the correct MTU from eth0 for --mtu and --network-control-plane-mtu. Changes: - docker-up: add --default-network-opt=bridge=com.docker.network.driver.mtu - WORKSPACE.yaml: update dockerComposeVersion to upstream 2.40.3 - dependencies.sh: download from docker/compose instead of gitpod-io/compose This eliminates the critical grpc CVE (GHSA-p77j-4mvh-x3m3) in the forked docker-compose binary and restores the MTU behavior that was silently broken. Co-authored-by: Ona <no-reply@ona.com>
The gitpod-db component is no longer deployed in any environment. The cloud_sql_proxy binary (v1.37.14) ships grpc v1.79.2; no v1.x release includes the fix (v1.79.3). Co-authored-by: Ona <no-reply@ona.com>
The upstream docker/compose checksums.txt includes entries for all platforms. Filter to linux-x86_64 only since that's all we download. The fork's checksums.txt only had the files it published, so this wasn't an issue before. Also bump buildkit from v0.20.1-gitpod.5 to v0.20.1-gitpod.6 to pick up grpc fix for GHSA-p77j-4mvh-x3m3. Co-authored-by: Ona <no-reply@ona.com>
The REH server COPY overlays /vscode-reh-linux-x64/ onto /vscode-web/ in /ide/, overwriting the web client's NLS files with the REH server's version. Normal workspaces are unaffected because blobserve reads only the first Docker layer. Debug workspaces serve from the merged filesystem, causing workbench.js to reference NLS indices that don't exist in the REH's nls.messages.js. Restore the web client NLS files after the REH overlay. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
…omposite action (#21394) * Replace removed transferwise/sanitize-branch-name with local action The transferwise/sanitize-branch-name GitHub Action repo is no longer publicly accessible, breaking CI. Replace with an equivalent local composite action. Co-authored-by: Ona <no-reply@ona.com> * Add checkout step before local sanitize-branch-name action Local composite actions require the repo to be checked out first. Uses sparse-checkout to only fetch .github/actions for speed. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
* Fix CVE-2026-33937: resolve handlebars to 4.7.9 grpc_tools_node_protoc_ts pins handlebars 4.7.7 and has no fixed release. Use yarn resolutions to force 4.7.9 which patches the JavaScript injection via AST type confusion vulnerability. Co-authored-by: Ona <no-reply@ona.com> * Fix protobufjs arbitrary code execution: bump to 7.5.5 Lockfile-only change. Both @grpc/proto-loader (^7.2.5) and ts-proto (^7.2.4) already accept 7.5.5 via semver, so no package.json or resolution changes needed. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
* Fix CVE-2026-27143: bump Go toolchain to 1.25.9 Daily vulnerability scan (CLC-2243) flagged 13 Classic component images with a critical Go stdlib vulnerability: - CVE-2026-27143 (GO-2026-4868): compiler did not correctly check underflow/overflow on arithmetic over induction variables in loops, allowing invalid indexing at runtime that could lead to memory corruption. The vulnerability is fixed in Go 1.25.9 (and 1.26.2). Bump the toolchain across the workspace: - Set toolchain to go1.25.9 in all 71 go.mod files - Update GO_VERSION in dev/image/Dockerfile and bump TRIGGER_REBUILD so the CI dev-environment image installs the patched compiler - Update GO_VERSION in .devcontainer/Dockerfile for dev consistency Verified locally by rebuilding all 13 affected components with GOTOOLCHAIN=go1.25.9 and confirming grype reports zero critical findings. Co-authored-by: Ona <no-reply@ona.com> * Pin golangci-lint --go=1.24 to match CI image toolchain The CI dev-environment image bundles golangci-lint v1.64.8 built with Go 1.24, which refuses to lint code declaring "toolchain go1.25.9". Pin the lint target to 1.24 so the existing image keeps working without a rebuild. We don't use any 1.25 language features; the toolchain bump only addresses CVE-2026-27143 in the Go stdlib. Co-authored-by: Ona <no-reply@ona.com> * Revert toolchain bumps; rely on CI image's system Go for fix The previous commit bumped 'toolchain go1.25.9' across all 71 go.mod files. That worked locally but broke the existing CI dev-environment image, which: 1. ships golangci-lint v1.64.8 built with Go 1.24 (rejects modules declaring toolchain >= 1.25) 2. has system Go 1.24.13, so GOTOOLCHAIN=auto downloads the 1.25.9 toolchain module — but that module's prebuilt tools dir lacks 'covdata', breaking 'go test -coverprofile' for any Go library package. Instead, leave the 'toolchain' directive at go1.24.13 and rely on the new dev-environment image (which has system Go 1.25.9 from dev/image/Dockerfile) to compile binaries with the patched stdlib. Once branch CI publishes the new image, a follow-up commit will update the image tag references in .gitpod.yml and the workflow files (same two-step pattern as #21327). Co-authored-by: Ona <no-reply@ona.com> * Update dev-environment image to ona-clc-2243-fix-cve-2026-27143-bump-go-gha.275 This image was published by the previous run of this PR and contains Go 1.25.9, which is needed to compile binaries free of CVE-2026-27143. Switching the workflow and devcontainer references over so subsequent CI runs use the patched toolchain. Co-authored-by: Ona <no-reply@ona.com> --------- Co-authored-by: Ona <no-reply@ona.com>
…-gitpod.7 (#21414) Upgrades the pinned buildkit base image to pull in: - CVE-2026-31789 (Critical) — OpenSSL libssl3/libcrypto3 in Alpine - CVE-2025-68121 (Critical) — Go crypto/tls session resumption Both criticals were tripping the daily scheduled vulnerability gate in `Build / Build Gitpod / Check for Critical Vulnerabilities` against `components/image-builder-bob:docker`. The new tag rebases on Alpine 3.23 and Go 1.26.2 in upstream BuildKit. Refs CLC-2245. Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <ona@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
Co-authored-by: Ona <no-reply@ona.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
15 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )