gosu doesn't publish proper Go module semver tags, so
`go install github.com/tianon/gosu@v1.19` fails with "no matching
versions". Replace the multi-stage golang builder with
`COPY --from=tianon/gosu /gosu /usr/local/bin/gosu`, which pulls the
pre-built binary from the official tianon/gosu Docker image. This image
is rebuilt with recent Go toolchains, so it still addresses the Go
stdlib CVEs documented in the Dockerfile comments.
Fixes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.
Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI
CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability
Fixes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added explicit package update/upgrade step to patch CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, and CVE-2025-61729 in Go stdlib components from Alpine Linux packages (likely LLVM or transitive dependencies).
The fix ensures all base image packages are up-to-date before pgvector build, capturing any security patches released for Alpine components.
Fixes#181
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
