security update jan 2026

[hippogr]

This PR is security update for Jan. 2026, in which most of the work are to use homebrew version instead of official version for Golang based applications used by different kinds of device plugin with Golang toolchain version and node.js package update.

[Copilot]

Pull request overview

This PR performs the January 2026 security and dependency refresh, primarily by upgrading Golang toolchain bases, Kubernetes-related images, device plugins, and the qs Node.js library, while moving some components to “homebrew” builds from upstream source.

Changes:

• Bump Go base images, Kubernetes scheduler, FRP, nerdctl, and related tooling to newer, presumably patched versions across multiple Dockerfiles.
• Replace third-party prebuilt images (notably gosu and NVIDIA/other device plugins) with in-repo build stages that clone upstream source and compile with the updated Go toolchain.
• Update Node.js qs dependency to 6.14.1 and enforce it via resolutions across REST server, database controller, and alert-manager services.

Reviewed changes

Copilot reviewed 20 out of 24 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/watchdog/build/watchdog.common.dockerfile	Updates watchdog builder base image to golang:1.24.11-alpine3.21 for security/bugfixes.
src/rest-server/yarn.lock	Locks qs to 6.14.1 in the REST server dependency graph.
src/rest-server/package.json	Adds a Yarn resolutions.qs constraint to force qs@^6.14.1 in the REST server.
src/pylon/build/reverseproxy.common.dockerfile	Bumps FRP reverse-proxy binary from 0.65.0 to 0.66.0 for the pylon reverse proxy.
src/postgresql/build/postgresql.k8s.dockerfile	Replaces external tianon/gosu with a Go-based build stage compiling gosu from source and injects it into the Postgres image.
src/model-proxy/build/model-proxy.common.dockerfile	Updates model-proxy builder to golang:1.25.5 to pick up latest Go 1.25 patch fixes.
src/job-exporter/build/job-exporter.common.dockerfile	Increases nerdctl CLI version from 2.1.3 to 2.2.1 for the job exporter image.
src/hivedscheduler/build/kube-scheduler.k8s.dockerfile	Upgrades the kube-scheduler base image from v1.33.1 to v1.33.7.
src/hivedscheduler/build/hivedscheduler.k8s.dockerfile	Bumps hivedscheduler builder base to golang:1.24.11-alpine3.21.
src/frameworkcontroller/build/frameworkcontroller.common.dockerfile	Updates frameworkcontroller builder base to golang:1.24.11-alpine3.21.
src/frameworkcontroller/build/frameworkbarrier.common.dockerfile	Updates frameworkbarrier builder base to golang:1.24.11-alpine3.21.
src/device-plugin/build/k8s-rocm-device-plugin.k8s.dockerfile	Switches ROCm device plugin build to Go 1.24.11, replaces local patching with go mod edit/tidy-based dependency pinning.
src/device-plugin/build/k8s-rocm-device-plugin-patches/0001-update-toolchain-to-1.24-with-package-updates.patch	Removes an in-repo patch file now superseded by Dockerfile-based go mod editing.
src/device-plugin/build/k8s-rdma-shared-dev-plugin.k8s.dockerfile	Moves RDMA shared device plugin to Go 1.24.11-alpine, installs build tooling, and pins key runtime-related dependencies via go mod edit.
src/device-plugin/build/k8s-nvidia-device-plugin.k8s.dockerfile	Replaces the prebuilt NVIDIA device-plugin image with a multi-stage build that clones NVIDIA/k8s-device-plugin@v0.18.0, runs make PREFIX=/artifacts cmds, and packages the binaries into a distroless-based runtime image.
src/device-plugin/build/k8s-host-device-plugin.k8s.dockerfile	Updates host-device plugin to Go 1.24.11 and uses go mod edit/tidy to bump and pin its key dependencies instead of applying a stored patch.
src/device-plugin/build/k8s-host-device-plugin-patches/0001-update-Golang-toolchain-to-1.24.patch	Deletes the host-device plugin Go toolchain update patch, now handled inline in the Dockerfile.
src/database-controller/src/yarn.lock	Updates qs lock entry to 6.14.1 (covering ^6.14.0 and ^6.14.1) for the database-controller service.
src/database-controller/src/package.json	Adds a resolutions.qs entry to force qs@^6.14.1 in the database-controller’s dependency tree.
src/alert-manager/src/job-status-change-notification/yarn.lock	Updates qs lock entry to 6.14.1 for the job-status-change-notification sub-service.
src/alert-manager/src/job-status-change-notification/package.json	Adds resolutions.qs for ^6.14.1 in the job-status-change-notification package.
src/alert-manager/src/alert-handler/yarn.lock	Updates qs lock entry to 6.14.1 for the alert-handler sub-service.
src/alert-manager/src/alert-handler/package.json	Adds resolutions.qs for ^6.14.1 in the alert-handler package.
src/alert-manager/build/redis-monitoring.common.dockerfile	Replaces the tianon/gosu:latest base with a Go 1.24-based build stage that clones and compiles gosu from source for redis-monitoring, then copies the binary into the Redis runtime image.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Using go get -u ./... in the build stage makes gosu's dependency tree unpinned and non-reproducible over time: future upstream releases could change or break builds in this image without any change in this repo. For a hardened, repeatable security build, consider explicitly pinning required module versions in go.mod (similar to how other modules are constrained elsewhere in the repo) instead of doing a blanket upgrade at build time.

Suggested change

RUN go get -u ./... && go mod tidy -compat=1.24

[Copilot]

Here as well, go get -u ./... upgrades all gosu dependencies on every build, which can silently change the resulting binary over time and potentially break the image or reintroduce vulnerabilities outside of your control. To keep the PostgreSQL gosu wrapper reproducible and auditable, it would be better to pin the desired dependency versions in go.mod and rely on go mod tidy rather than doing an unbounded go get -u during the Docker build.

Suggested change

	RUN go get -u ./... && go mod tidy -compat=1.24
	RUN go mod tidy -compat=1.24