Skip to content

chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1#346

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/docker.io-cuelang-cue-0.x
Open

chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1#346
renovate[bot] wants to merge 1 commit intomainfrom
renovate/docker.io-cuelang-cue-0.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Dec 1, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change OpenSSF
docker.io/cuelang/cue stage minor 0.13.20.16.1 OpenSSF Scorecard

Release Notes

cue-lang/cue (docker.io/cuelang/cue)

v0.16.1

Compare Source

Language

The fallback keyword in the aliasv2 experiment is replaced by otherwise, which is clearer. cue fmt or cue fix can be used to rewrite existing code.

Evaluator

Fix a regression where the compiler could add comments to the input AST value, which could lead to increased memory usage.

Fix a bug where exporting certain schemas could result in "cannot have both alias and field in same scope" errors.

cmd/cue

Fix a panic which could occur when using non-label expressions in the --path flag.

Teach cue login to give helpful errors when used with OCI registries which don't support the OAuth2 device flow.

Go API

Fix a regression where cue.Context.Encode could panic on custom marshaler types with pointer receivers.

Full list of changes since v0.16.0

v0.16.0

Compare Source

Changes which may break some users are marked below with: ⚠️

Language

As a reminder, we have two ongoing language experiments since v0.15; a replacement for struct embedding and a rework of aliases. Please give these a try and report any issues or feedback!

⚠️ The cmdreferencepkg global experiment is now stable, meaning that CUE_EXPERIMENT=cmdreferencepkg is always enabled.

#"""# is now accepted as a string literal quoting a double quote, ".

Multiline string literals now require a trailing newline, matching the language spec.

The new try experiment

This release introduces the try experiment, which adds a try clause in comprehensions as well as the use of ? in field selectors. This addition to the language is intended to provide a more concise syntax for handling optional fields without the risk of unintentionally swallowing errors.

This experiment also introduces the else clause for if and try comprehensions, and the fallback clause for for comprehensions, which trigger when a comprehension produces zero values.

You can try this experiment by following our how-to guides on the try clause and the else clause. For more information, see the proposal on GitHub and the spec change patch.

Evaluator

Performance

Further improve the use of caching in the typochecker algorithm; this provides speed-ups of up to 80% on some large projects.

Very large structs (tested with 20,000 fields) are up to 80% faster now, as we were repeating some work unnecessarily.

A great deal of effort has gone into reducing the allocations and memory usage across a number of projects. For some of these, memory usage is down by as much as 60%.

These improvements were possible thanks to our Unity service, letting us analyze CUE's performance and test for regressions on third party projects. Contact @​mvdan on Discord, Slack, or via the Unity page to ensure that your project is included or you are running into slowness.

A number of changes were made to improve support for using cue.Values concurrently; see Issue #​2733 for more details and ongoing progress.

Other changes

Fix a regression introduced in v0.13 where the or built-in with literal arguments could stop behaving like a disjunction.

A number of panics and other bugs in the evaluator which were reported since v0.15.0 have been fixed; thank you to all who reported these.

cmd/cue

Add support for $DOCKER_AUTH_CONFIG to directly provide the contents of $DOCKER_CONFIG/config.json to authenticate with module registries, matching Docker's current behavior.

The --outfile flag now works when given non-regular files such as named pipes or sockets.

⚠️ cue mod publish no longer ignores sub-directories containing a go.mod file.

⚠️ Using cue inside the cue.mod directory now fails consistently with a clear error message to not place CUE code there. Previously, some commands worked while others failed with confusing errors.

⚠️ The global --verbose and --trace flags have been moved to the cue get go and cue trim commands respectively, as they were the only ones actually using those flags, and this could be confusing to users.

Fix a bug where loading ./...:pkgname could lead to loading directories without CUE files as instances, which could cause poor performance for CUE packages with multiple parent directories.

cue exp writefs gains an encoding optional field for regular files, to specify an encoding rather than infer it from the filename extension.

LSP server

Initial LSP support for editing embedded JSON and YAML files. This feature provides completions and hover-docs when editing JSON or YAML files which are embedded into CUE via the @embed attribute. A teaser video is available on YouTube.

Code Actions: two code actions are now provided, Add surrounding struct braces and Remove surrounding struct braces, which convert between

a: b: c

and

a: {
	b: c
}

with the cursor on b.

A complete overhaul of how the LSP server suggests code completions. This solves the previous naïve implementation which would only make suggestions after a field name or path had been started. Now completions are available from within whitespace.

Embedded paths with mutual dependencies: embedded paths with multiple components (e.g. a.b.c) can in some cases only be fully resolved after the resolution of other embedded paths. The LSP server can now correctly handle these dependencies.

The LSP server now implements LSP Document Symbols functionality. This is often used by editors to provide light-weight breadcrumb navigation within a file.

Some preliminary diagnostics are now sent from the LSP server back to the editor. Initially this mainly indicates syntax errors in CUE files, but this can be extended in the future.

Many bug fixes, including better behaviour for files and directories with spaces; improvements for value aliases (foo: L=x); LSP rename now provides placeholder text; improved jump-to-definition behaviour for package-level fields; fixed issues around imports; path resolution; formatting of standalone CUE files; and others.

See our Getting Started wiki page for instructions on how to set it up with your editor.

Please report any bugs or missing features you encounter via the Issue tracker or via the #lsp channels on Discord or Slack.

Encodings

Add support for encoding YAML tags like key: !Custom value by using CUE attributes like key: "value" @​yaml(,tag="!Custom").

cue get go now detects which Go packages use Kubernetes type semantics via // +k8s:openapi-gen=true and obeys the field annotations // +optional and // +nullable.

cue get go gains a --codec flag to configure the use and priority of Go struct field tags like json or yaml.

Fix a bug where cue get go could skip over fields whose type implements one of the supported marshaling interfaces.

Fix a few bugs where cue get go could result in invalid or failing CUE code.

JSON Schema's Config.OpenOnlyWhenExplicit option is now exposed for the CLI via the filetype tag jsonschema+openOnlyWhenExplicit.

JSON Schema now properly encodes hash references for better compatibility with other tools.

Standard library

The strconv package adds ParseNumber, like ParseInt or ParseFloat but allowing other CUE number strings such as 1Ki.

The net package adds InCIDR to test whether an IP is contained by a CIDR string.

The net package adds ParseCIDR to extract useful information from a CIDR string.

The net package adds CompareIP to compare two IP addresses, which can be useful for computing with IP ranges.

The net/http package adds Serve as an experimental API to listen on a port and serve HTTP requests.

The tool/file package adds Symlink to create symbolic links.

Go API

cue.Value.Decode now supports the new cue.Unmarshaler interface, allowing Go types to implement their own CUE value decoding logic via an UnmarshalCUE(cue.Value) error method.

The new cue.IsIncomplete function reports whether the given value is a CUE incomplete error.

cue/ast gains the NewPredeclared and Ident.IsPredeclared to mark and detect identifiers referencing predeclared names like error or int rather than fields which may shadow those names in the current scope.

⚠️ cue.Value.Decode now uses cue.IsIncomplete to not treat incomplete errors as fatal, allowing the decoding to continue.

Fix a bug where cue.Value.Decode could behave incorrectly when decoding a CUE null or incomplete value.

⚠️ cue/token.Compare now sorts absolute paths before relative ones, to ensure consistent behavior between Unix-like systems and Windows.

⚠️ The long-deprecated cue/ast.Node.Comments and cue/ast.Node.AddComment interface methods are now removed; use cue/ast.Comments and cue/ast.AddComment respectively.

⚠️ The long-deprecated and unused cue/parser.FromVersion and cue/parser.DeprecationError APIs are now removed.

⚠️ The long-deprecated and hidden cue.Instance.Eval method is now removed.

Full list of changes since v0.15.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Djaytan as a code owner December 1, 2025 01:16
@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 1, 2025
edited
Loading

Overview

Image reference djaytan/papermc-server:1.21.11 djaytan/papermc-server:test
- digest f460d28482da 35fdfde61953
- tag 1.21.11 test
- stream latest
- vulnerabilities critical: 2 high: 13 medium: 18 low: 3 unspecified: 12 critical: 1 high: 6 medium: 5 low: 2 unspecified: 6
- platform linux/amd64 linux/amd64
- size 137 MB 148 MB (+11 MB)
- packages 169 177 (+8)
Base Image alpine:3
also known as:
3.23
3.23.3
latest		 alpine:3
also known as:
3.23
3.23.3
latest
- vulnerabilities critical: 0 high: 0 medium: 2 low: 1 critical: 0 high: 0 medium: 2 low: 1
Policies (1 improved, 1 worsened, 3 missing data)
Policy Name djaytan/papermc-server:1.21.11 djaytan/papermc-server:test Change Standing
No unapproved base images ❓ No data
Default non-root user No Change
No AGPL v3 licenses No Change
No fixable critical or high vulnerabilities ⚠️ 19 ⚠️ 7 -12 Improved
No high-profile vulnerabilities No Change
No outdated base images ❓ No data
SonarQube quality gates passed ❓ No data ❓ No data
Supply chain attestations ⚠️ 2 +2 Worsened
Packages and Vulnerabilities (43 package changes and 19 vulnerability changes)
  • ➕ 18 packages added
  • ➖ 13 packages removed
  • ♾️ 12 packages changed
  • 141 packages unchanged
  • ✔️ 19 vulnerabilities removed
Changes for packages of type apk (7 changes)
Package Version
djaytan/papermc-server:1.21.11		 Version
djaytan/papermc-server:test
alpine-base 3.23.3-r0
ca-certificates 20251003-r0
gcc 15.2.0-r2
ncurses 6.5_p20251123-r0
openssl 3.5.5-r0
pax-utils 1.3.8-r2
xz 5.8.2-r0
Changes for packages of type generic (2 changes)
Package Version
djaytan/papermc-server:1.21.11		 Version
djaytan/papermc-server:test
openjdk 21.0.10
openjdk 21.0.10
Changes for packages of type golang (34 changes)
Package Version
djaytan/papermc-server:1.21.11		 Version
djaytan/papermc-server:test
cuelabs.dev/go/oci/ociregistry 0.0.0-20250304105642-27e071d2c9b1
cuelabs.dev/go/oci/ociregistry 0.0.0-20251212221603-3adeb8663819
♾️ cuelang.org/go 0.13.2 0.16.1
github.com/cenkalti/backoff/v5 5.0.3
github.com/cenkalti/backoff/v5 5.0.3
github.com/cespare/xxhash/v2 2.3.0
github.com/cespare/xxhash/v2 2.3.0
github.com/cockroachdb/apd/v3 3.2.1
github.com/cockroachdb/apd/v3 3.2.1
♾️ github.com/emicklei/proto 1.14.0 1.14.3
github.com/grpc-ecosystem/grpc-gateway/v2 2.27.7
github.com/grpc-ecosystem/grpc-gateway/v2 2.27.7
github.com/pelletier/go-toml/v2 2.2.4
github.com/pelletier/go-toml/v2 2.2.4
♾️ github.com/protocolbuffers/txtpbfmt 0.0.0-20250129171521-feedd8250727 0.0.0-20260217160748-a481f6a22f94
♾️ github.com/spf13/cobra 1.9.1 1.10.2
♾️ github.com/spf13/pflag 1.0.6 1.0.10
go.opentelemetry.io/contrib/instrumentation/runtime 0.65.0
go.opentelemetry.io/contrib/instrumentation/runtime 0.65.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc 1.40.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc 1.40.0
go.opentelemetry.io/otel/sdk/metric 1.40.0
go.yaml.in/yaml/v3 3.0.4
♾️ golang.org/x/mod 0.24.0 0.34.0
♾️ golang.org/x/net 0.49.0 0.52.0
♾️ golang.org/x/oauth2 0.29.0 0.36.0
♾️ golang.org/x/sync 0.13.0 0.20.0
♾️ golang.org/x/text 0.33.0 0.35.0
♾️ golang.org/x/tools 0.32.0 0.43.0
google.golang.org/genproto/googleapis/api 0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc 0.0.0-20260203192932-546029d2fa20
google.golang.org/genproto/googleapis/rpc 0.0.0-20260203192932-546029d2fa20
gopkg.in/yaml.v3 3.0.1
♾️ stdlib 1.25.7 1.26.2
critical: 0 high: 1 medium: 1 low: 1 unspecified: 6
Removed vulnerabilities (9):
  • high : CVE--2026--25679
  • medium : CVE--2026--27142
  • low : CVE--2026--27139
  • unspecified : CVE--2026--32289
  • unspecified : CVE--2026--32288
  • unspecified : CVE--2026--32283
  • unspecified : CVE--2026--32282
  • unspecified : CVE--2026--32281
  • unspecified : CVE--2026--32280

@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 1, 2025
edited
Loading

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test
digestsha256:35fdfde619537f4af61e339f5427a36821752c1e694912fad392565bae95f1ff
vulnerabilitiescritical: 1 high: 6 medium: 5 low: 2 unspecified: 6
platformlinux/amd64
size148 MB
packages177
📦 Base Image alpine:3
also known as
  • 3.23
  • 3.23.3
  • latest
digestsha256:59855d3dceb3ae53991193bd03301e082b2a7faa56a514b03527ae0ec2ce3a95
vulnerabilitiescritical: 0 high: 0 medium: 2 low: 1
critical: 1 high: 0 medium: 0 low: 0 google.golang.org/grpc 1.78.0 (golang)

pkg:golang/google.golang.org/grpc@1.78.0

critical 9.1: CVE--2026--33186 Improper Authorization

Affected range<1.79.3
Fixed version1.79.3
CVSS Score9.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score0.014%
EPSS Percentile3rd percentile
Description

Impact

What kind of vulnerability is it? Who is impacted?

It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header.

The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash (e.g., Service/Method instead of /Service/Method). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official grpc/authz package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with /) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present.

Who is impacted?
This affects gRPC-Go servers that meet both of the following criteria:

  1. They use path-based authorization interceptors, such as the official RBAC implementation in google.golang.org/grpc/authz or custom interceptors relying on info.FullMethod or grpc.Method(ctx).
  2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule).

The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed :path headers directly to the gRPC server.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the issue has been patched. The fix ensures that any request with a :path that does not start with a leading slash is immediately rejected with a codes.Unimplemented error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string.

Users should upgrade to the following versions (or newer):

  • v1.79.3
  • The latest master branch.

It is recommended that all users employing path-based authorization (especially grpc/authz) upgrade as soon as the patch is available in a tagged release.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods:

1. Use a Validating Interceptor (Recommended Mitigation)

Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs:

func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
    if info.FullMethod == "" || info.FullMethod[0] != '/' {
        return nil, status.Errorf(codes.Unimplemented, "malformed method name")
    }   
    return handler(ctx, req)
}

// Ensure this is the FIRST interceptor in your chain
s := grpc.NewServer(
    grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor),
)

2. Infrastructure-Level Normalization

If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the :path header does not start with a leading slash.

3. Policy Hardening

Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs.

critical: 0 high: 4 medium: 1 low: 0 org.apache.commons/commons-compress 1.5 (maven)

pkg:maven/org.apache.commons/commons-compress@1.5

high 7.5: CVE--2021--36090 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.592%
EPSS Percentile69th percentile
Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

high 7.5: CVE--2021--35517 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score1.062%
EPSS Percentile78th percentile
Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

high 7.5: CVE--2021--35516 Improper Handling of Length Parameter Inconsistency

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score1.402%
EPSS Percentile80th percentile
Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

high 7.5: CVE--2021--35515 Excessive Iteration

Affected range<1.21
Fixed version1.21
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.598%
EPSS Percentile69th percentile
Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

medium 5.9: CVE--2024--25710 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range>=1.3
<1.26.0
Fixed version1.26.0
CVSS Score5.9
CVSS VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score0.018%
EPSS Percentile5th percentile
Description

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

critical: 0 high: 1 medium: 1 low: 1 unspecified: 6stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

high : CVE--2026--25679

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.033%
EPSS Percentile10th percentile
Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

medium : CVE--2026--27142

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.012%
EPSS Percentile2nd percentile
Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

low : CVE--2026--27139

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.005%
EPSS Percentile0th percentile
Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

unspecified : CVE--2026--32289

Affected range<1.25.9
Fixed version1.25.9
Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

unspecified : CVE--2026--32288

Affected range<1.25.9
Fixed version1.25.9
Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

unspecified : CVE--2026--32283

Affected range<1.25.9
Fixed version1.25.9
Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

unspecified : CVE--2026--32282

Affected range<1.25.9
Fixed version1.25.9
Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

unspecified : CVE--2026--32281

Affected range<1.25.9
Fixed version1.25.9
Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

unspecified : CVE--2026--32280

Affected range<1.25.9
Fixed version1.25.9
Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

critical: 0 high: 1 medium: 0 low: 0 org.codehaus.plexus/plexus-utils 3.5.1 (maven)

pkg:maven/org.codehaus.plexus/plexus-utils@3.5.1

high : CVE--2025--67030 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range<=4.0.2
Fixed version4.0.3
EPSS Score0.247%
EPSS Percentile48th percentile
Description

Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

critical: 0 high: 0 medium: 1 low: 1 zlib 1.3.1-r2 (apk)

pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23

medium : CVE--2026--22184

Affected range<1.3.2-r0
Fixed version1.3.2-r0
EPSS Score0.017%
EPSS Percentile4th percentile
Description

low : CVE--2026--27171

Affected range<1.3.2-r0
Fixed version1.3.2-r0
EPSS Score0.007%
EPSS Percentile1st percentile
Description
critical: 0 high: 0 medium: 1 low: 0 busybox 1.37.0-r30 (apk)

pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23

medium : CVE--2025--60876

Affected range<=1.37.0-r30
Fixed versionNot Fixed
EPSS Score0.064%
EPSS Percentile20th percentile
Description
critical: 0 high: 0 medium: 1 low: 0 commons-lang/commons-lang 2.6 (maven)

pkg:maven/commons-lang/commons-lang@2.6

medium 6.5: CVE--2025--48924 Uncontrolled Recursion

Affected range>=2.0
<=2.6
Fixed versionNot Fixed
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score0.033%
EPSS Percentile9th percentile
Description

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

@renovate renovate bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from d261a73 to 1e3bed5 Compare December 30, 2025 14:01
@renovate renovate bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.1 chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3 Dec 30, 2025
@renovate renovate bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 1e3bed5 to 1ea5d94 Compare January 27, 2026 17:36
@renovate renovate bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.3 chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4 Jan 27, 2026
@renovate renovate bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 1ea5d94 to 22972e7 Compare February 15, 2026 17:06
@renovate renovate bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from 22972e7 to f9bac18 Compare March 3, 2026 18:42
@renovate renovate bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.15.4 chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0 Mar 3, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 3, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot force-pushed the renovate/docker.io-cuelang-cue-0.x branch from f9bac18 to 4d575dd Compare April 8, 2026 18:10
@renovate renovate bot changed the title chore(deps): update docker.io/cuelang/cue docker tag to v0.16.0 chore(deps): update docker.io/cuelang/cue docker tag to v0.16.1 Apr 8, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 8, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
E Maintainability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Djaytan Djaytan Awaiting requested review from Djaytan Djaytan is a code owner

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

t:dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants