stack

mosaic/stack

Fork 0

Commit Graph

Author	SHA1	Message	Date
Jason Woltje	429cf85f87	fix(#363 ): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs The gosu 1.19 binary bundled in the postgres base image was compiled with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH severity Go stdlib vulnerabilities. Since upstream gosu has not released a version built with patched Go (1.24.13+ / 1.25.7+), this adds a multi-stage Docker build that recompiles gosu from source using Go 1.26. Changes: - Pin postgres base image to 17.7-alpine3.22 for reproducibility - Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19 - Replace bundled gosu binary with freshly built version - Pin all postgres:17-alpine references across compose files and CI CVEs fixed: - CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability - CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation - CVE-2025-61726 (HIGH): Go net/url memory exhaustion - CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion - CVE-2025-61729 (HIGH): Go crypto/x509 DoS - CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability Fixes #363 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-12 12:38:33 -06:00
Jason Woltje	7c2df59499	fix(#181 ): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image Added explicit package update/upgrade step to patch CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, and CVE-2025-61729 in Go stdlib components from Alpine Linux packages (likely LLVM or transitive dependencies). The fix ensures all base image packages are up-to-date before pgvector build, capturing any security patches released for Alpine components. Fixes #181 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-01 20:54:57 -06:00
Jason Woltje	99afde4f99	feat(#2 ): Implement PostgreSQL 17 + pgvector database schema Establishes multi-tenant database layer with vector similarity search for AI-powered memory features. Includes Docker infrastructure, Prisma ORM integration, NestJS services, and shared types across the monorepo. Key changes: - Docker: PostgreSQL 17 + pgvector v0.7.4, Valkey cache - Schema: 8 models (User, Workspace, Task, Event, Project, ActivityLog, MemoryEmbedding) with RLS preparation - NestJS: PrismaModule, DatabaseModule, EmbeddingsService - Shared: Type-safe enums, constants, and database types Fixes #2 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-01-28 16:06:34 -06:00

Author

SHA1

Message

Date

Jason Woltje

429cf85f87

fix(#363 ): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs

The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-12 12:38:33 -06:00

Jason Woltje

7c2df59499

fix(#181 ): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image

Added explicit package update/upgrade step to patch CVE-2025-58183, CVE-2025-61726, CVE-2025-61728, and CVE-2025-61729 in Go stdlib components from Alpine Linux packages (likely LLVM or transitive dependencies).

The fix ensures all base image packages are up-to-date before pgvector build, capturing any security patches released for Alpine components.

Fixes #181
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-01 20:54:57 -06:00

Jason Woltje

99afde4f99

feat(#2 ): Implement PostgreSQL 17 + pgvector database schema

Establishes multi-tenant database layer with vector similarity search for AI-powered memory features. Includes Docker infrastructure, Prisma ORM integration, NestJS services, and shared types across the monorepo.

Key changes:
- Docker: PostgreSQL 17 + pgvector v0.7.4, Valkey cache
- Schema: 8 models (User, Workspace, Task, Event, Project, ActivityLog, MemoryEmbedding) with RLS preparation
- NestJS: PrismaModule, DatabaseModule, EmbeddingsService
- Shared: Type-safe enums, constants, and database types

Fixes #2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-01-28 16:06:34 -06:00

3 Commits