fix(security): apt-get upgrade in self-host runtime stages

@zen-agentchecks n/achecks…zen/security-bookworm-apt-upgrade-5zw79n → master1 files · +7 −0review: @acsrujanreview: @abir-taheerreview: @lingalarahul7review: @anshugarg15updated 3w ago

GitHub

▸Description· 1 comment · 4 noise

Description

A customer VA scan against the self-hosted images flagged 3 real CVEs (CRITICAL/HIGH) that all stem from unpatched packages inherited from node:20.20.2-slim:

CVE	Package	Severity	Fix in Bookworm
CVE-2026-42010	libgnutls30	CRITICAL	3.7.9-2+deb12u7 (DSA-6281-1)
CVE-2026-33845	libgnutls30	CRITICAL	3.7.9-2+deb12u7 (DSA-6281-1)
CVE-2026-4878	libcap2	HIGH	1:2.66-4+deb12u3

The existing RUN apt-get update && apt-get install ... invocations in the apollo and init stages of self-host/self-host.Dockerfile only patch the packages we explicitly install (bash, ca-certificates, gzip, openjdk-17-jre-headless, make). Transitive deps inherited from the base image (libgnutls30, libcap2, etc.) stayed pinned to whatever version was baked into the upstream node:20.20.2-slim digest.

Folding apt-get upgrade -y into the same RUN layer (between update and install, before the rm -rf /var/lib/apt/lists/* cleanup) pulls in all available security updates without leaking the apt cache.

What this PR does NOT cover

The same VA report also flagged 5 npm CVEs. I verified each against pnpm-lock.yaml and root pnpm.overrides:

CVE	Package	Reported	Actual	Status
CVE-2026-41242	protobufjs	7.5.4	7.5.5 (override)	False positive
CVE-2026-33937	handlebars	4.7.8	4.7.9 (override)	False positive
CVE-2026-28292	simple-git	3.16.0	3.36.0 (override)	False positive
CVE-2026-6951	simple-git	3.16.0	3.36.0 (override)	False positive
CVE-2026-44902	@opentelemetry/auto-instrumentations-node	0.57.1	0.57.1	Present, not exploitable — CVE is in the Prometheus exporter's HTTP server; Apollo only ever instantiates `OTLPMetricExporter` (see `apps/apollo/src/instrumentation.node.ts:53`). Recommend a follow-up PR to bump to `^0.75.0` to silence scanners.

How did I test this PR

Static review: confirmed the new apt-get upgrade -y is inside the same RUN layer as the existing update + install + rm -rf /var/lib/apt/lists/*, so the cache cleanup still applies and no extra layer is introduced.
Cross-checked the fix versions against the Debian security tracker for all three CVEs — fixes are live in bookworm-updates.
CI note: no pull_request-triggered workflow builds self-host.Dockerfile in this repo (only self_hosted_image.yml on push-to-production and manual dispatch). Before merging, recommend running self_hosted_image.yml via workflow_dispatch to confirm both apollo and init images still build cleanly and the smoke tests pass.

🤖 Generated with Claude Code

@zen-agent3w ago

Post-PR Status Update

Step	Result
`/build-checks` (apollo profile)	✅ PASS — lint, format:check, check-types all green (one pre-existing lint warning, unrelated)
`/codex-review-loop`	✅ LGTM iter 1 — "The change only adds apt package upgrades in the final Docker runtime stages and preserves the existing apt cache cleanup and install flow. I did not find a discrete correctness, security, or maintainability issue introduced by this patch."
CI (`gh-fix-ci-loop`)	✅ All 29 checks green
Testing checklist	Unit tests N/A (Dockerfile-only). E2E/runtime build not exercised — no Docker daemon in this sandbox, and no `pull_request`-triggered workflow builds `self-host.Dockerfile`. Local Apollo + Thermos services are healthy but they run against the host filesystem, not the built image.
PR comments	None requiring action — only informational bot comments (Vercel, suggested-reviewers, test-results, codecov).

Remaining blocker before merge

CI does not build this Dockerfile on PRs. Before merging, please run self_hosted_image.yml via workflow_dispatch to confirm both the apollo and init images still build cleanly with apt-get upgrade -y in the layer and that self-host/test-docker-images.sh smoke tests pass.

▸ 4 bot/status comments hidden

@vercel[bot]3w ago

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
apollo	Ready	Preview, Comment	May 20, 2026 3:42pm

Project	Deployment	Actions	Updated (UTC)
debby	Ignored		May 20, 2026 3:42pm

@github-actions[bot]3w ago

🔍 Suggested Reviewers

Based on git blame analysis of 1 file(s):

Contributor	Contribution	Files
riteshsonawane1372	61%	1
Utkarsh Dixit

loading diff…

@zen-agent3w ago

Post-PR Status Update

Step	Result
`/build-checks` (apollo profile)	✅ PASS — lint, format:check, check-types all green (one pre-existing lint warning, unrelated)
`/codex-review-loop`	✅ LGTM iter 1 — "The change only adds apt package upgrades in the final Docker runtime stages and preserves the existing apt cache cleanup and install flow. I did not find a discrete correctness, security, or maintainability issue introduced by this patch."
CI (`gh-fix-ci-loop`)	✅ All 29 checks green
Testing checklist	Unit tests N/A (Dockerfile-only). E2E/runtime build not exercised — no Docker daemon in this sandbox, and no `pull_request`-triggered workflow builds `self-host.Dockerfile`. Local Apollo + Thermos services are healthy but they run against the host filesystem, not the built image.
PR comments	None requiring action — only informational bot comments (Vercel, suggested-reviewers, test-results, codecov).

Flag	Coverage Δ
e2e-tests	`?`
self-hosted-tests	`5.58% <ø> (ø)`
unit-tests	`?`

fix(security): apt-get upgrade in self-host runtime stages

Description

What this PR does NOT cover

How did I test this PR

Post-PR Status Update

Remaining blocker before merge

🔍 Suggested Reviewers

Description

What this PR does NOT cover

How did I test this PR

Post-PR Status Update

Remaining blocker before merge

🔍 Suggested Reviewers

💡 Recommendation

🧪 Test Results Summary (Self-Hosted Tests)

Codecov Report