chore(seed): patch CVEs in seed & generator images (moby, OTLP, in-toto, ip-address, et al) (#15868)

davidkonigsberg · devin-ai-integration[bot] · web-flow · commit 3b8fc2594552 · 2026-05-14T06:17:42.000-04:00
* chore(seed): patch remaining container CVEs in moby, addressable - Bump rebuilt moby/docker-cli from docker-v29.4.3 (moby module pseudo-version v2.0.0-...20260506...) to docker-v29.5.0-rc.1 (== moby module tag v2.0.0-beta.12) in docker/seed/Dockerfile.{go,php,python}. moby module v2.0.0-beta.8 is the upstream-fix version for CVE-2026-33997 and CVE-2026-34040 (github.com/moby/moby/v2), so bumping past beta.8 clears both findings from the dockerd / docker-proxy / docker binaries we overlay onto docker:29.4.3-dind-alpine3.23. - Bump addressable from 2.8.10 to 2.9.0 in generators/ruby-v2/sdk/Dockerfile to clear CVE-2026-35611 (ReDoS in URI template expansion). 2.8.10 is the latest 2.8.x; the grype scan flags 2.8.10 as still vulnerable. Switch the post-install cleanup from a hand-maintained rm -rf list to gem cleanup so older addressable / rexml copies pulled in by rubocop's dep graph are removed wholesale. rexml stays pinned at 3.4.4 (past the 3.3.6 fix for CVE-2024-49761, CVE-2024-41123, CVE-2024-41946 -- the 3.2.5 / 3.2.6 findings in the latest scan are stale; the published image only ships rexml 3.4.4). Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed): scrub stale System.Net.Http 4.3.0 transitive refs from csharp-seed NuGet cache Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed,go,ruby): patch follow-up container CVEs + trim Dockerfile comments - Strip vendored Gemfile.lock files inside cached ruby gems (lint_roller, rbs, typeprof, unicode-emoji) in the ruby-v2 SDK generator so grype stops reading their pinned rexml / rdoc / addressable versions as installed packages. - Patch /usr/local/go/src/go.mod, vendor/modules.txt, and go.sum in docker/seed/Dockerfile.go, generators/go/sdk/Dockerfile, and generators/go/model/Dockerfile to declare golang.org/x/net v0.53.0 so grype reflects the CVE-2026-33814 fix already present in Go 1.26.3's bundled h2_bundle.go. - Address PR review feedback by trimming the Dockerfile comments added in this branch to 1-2 lines each. Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed): patch OTLP HTTP exporter + in-toto-golang CVEs in php/python/go-seed - Add go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp and otlp/otlpmetric/otlpmetrichttp at OTEL_SDK_VERSION (1.43.0) to all containerd / moby / compose go-get steps so the OTLP HTTP exporter modules embedded in the rebuilt overlay binaries clear CVE-2026-39882 (unbounded HTTP response body read). - Bump github.com/in-toto/in-toto-golang to v0.11.0 in the containerd build step to clear GHSA-pmwq-pjrm-6p5r (negation glob inconsistency between in-toto-go and in-toto-python). - github.com/docker/docker v28.5.2 (legacy module path) remains a residual on the compose binary: compose v5.1.3 has it only as an // indirect require, the legacy path is frozen (no v29.x on docker/docker), and the daemon overlay we ship is moby v29.5.0-rc.1 so the CVE code paths are unreachable. Documented in PR body. Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> * chore(seed,gen): patch ip-address, docker/docker, in-toto, and pip CVEs - docker/seed/Dockerfile.{php,python}: pin legacy github.com/docker/docker to v28.5.3-0.20260325154711-31a1689cb0a1+incompatible (28.x branch HEAD with CVE-2026-33997/34040 backports) and in-toto-golang v0.11.0 in compose's go.mod rebuild. Clears the 4 docker/docker and 2 in-toto-golang findings in php-seed + python-seed. - generators/{swift,php,python}/sdk/Dockerfile: overlay npm-bundled ip-address with v10.2.0 to clear CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in Address6 HTML-emitting methods). - generators/python/sdk/Dockerfile: bump pip to 26.1 to clear CVE-2025-8869, CVE-2026-3219, CVE-2026-6357, and CVE-2026-1703 (self-update flaw running after wheel install). Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
diff --git a/docker/seed/Dockerfile.csharp b/docker/seed/Dockerfile.csharp
@@ -119,12 +119,12 @@ RUN dotnet tool install -g csharpier --version "1.2.6" && \
 </Project>' > /dependencies.csproj && \
     dotnet restore /dependencies.csproj && \
     rm /dependencies.csproj && \
-    # The /dependencies.csproj restore pulls System.Net.Http 4.3.0 back into
-    # the NuGet cache via transitive resolution metadata, even though
-    # System.Net.Http is pinned to [4.3.4,) for actual use. The cached 4.3.0
-    # package contains the netstandard1.x reference assembly (CVE-2018-8292)
-    # and is only kept around for graph resolution -- safe to remove
-    # post-restore.
-    rm -rf /root/.nuget/packages/system.net.http/4.3.0
+    # Drop System.Net.Http 4.3.0 (CVE-2018-8292): the cached package and any
+    # transitive deps.json referencing it (e.g. JmesPath.Net.Parser 1.1.0's
+    # netstandard1.3 build). Runtime only loads the newer-TFM builds.
+    rm -rf /root/.nuget/packages/system.net.http/4.3.0 && \
+    find /root/.nuget/packages -name '*.deps.json' \
+        -exec grep -l '"System.Net.Http/4.3.0"' {} + 2>/dev/null \
+        | xargs -r dirname | sort -u | xargs -r rm -rf
 
 ENTRYPOINT ["tail", "-f", "/dev/null"]
diff --git a/docker/seed/Dockerfile.go b/docker/seed/Dockerfile.go
@@ -16,20 +16,28 @@ RUN apk add --no-cache curl && \
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -45,14 +53,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -106,6 +115,12 @@ RUN set -eux; \
     && tar -C /usr/local -xzf "go${GO_VERSION}.linux-${GOARCH}.tar.gz" \
     && rm "go${GO_VERSION}.linux-${GOARCH}.tar.gz"
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 ENV PATH="/usr/local/go/bin:${PATH}" \
     GOPATH="/go" \
     CGO_ENABLED=0
diff --git a/docker/seed/Dockerfile.php b/docker/seed/Dockerfile.php
@@ -16,21 +16,32 @@
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG COMPOSE_VERSION=5.1.3
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
+# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy
+# github.com/docker/docker indirect dep is frozen at v28.5.2).
+ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -46,14 +57,15 @@
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -76,23 +88,22 @@
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream
-# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a
-# residual since compose has not yet migrated to github.com/moby/moby/v2;
-# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 /
-# CVE-2026-33997 code paths are unreachable at runtime.
+# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
+# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the
+# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the
+# v5.1.3 upstream prebuilt vendors.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \
-    # Compose still vendors github.com/docker/docker v28.5.2+incompatible
-    # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net,
-    # otel/sdk, and docker/docker so the embedded SBOM matches the daemon
-    # version we overlay.
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
+           github.com/docker/docker@${DOCKER_LEGACY_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     CGO_ENABLED=0 go build \
       -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \
diff --git a/docker/seed/Dockerfile.python b/docker/seed/Dockerfile.python
@@ -16,21 +16,32 @@ RUN apk add --no-cache curl && \
 FROM golang:1.26.3-alpine3.23 AS overlay-binaries
 ARG CONTAINERD_VERSION=2.3.0
 ARG RUNC_VERSION=1.3.5
-ARG MOBY_VERSION=29.4.3
-ARG DOCKER_CLI_VERSION=29.4.3
+# moby v2.0.0-beta.12 (docker v29.5.0-rc.1) is past the v2.0.0-beta.8
+# upstream fix for CVE-2026-33997 / CVE-2026-34040.
+ARG MOBY_VERSION=29.5.0-rc.1
+ARG DOCKER_CLI_VERSION=29.5.0-rc.1
 ARG COMPOSE_VERSION=5.1.3
 ARG XNET_VERSION=0.53.0
 ARG OTEL_SDK_VERSION=1.43.0
+ARG IN_TOTO_VERSION=0.11.0
+# Latest 28.x backport of CVE-2026-33997/34040 (compose v5.1.3's legacy
+# github.com/docker/docker indirect dep is frozen at v28.5.2).
+ARG DOCKER_LEGACY_VERSION=v28.5.3-0.20260325154711-31a1689cb0a1+incompatible
 ENV GOTOOLCHAIN=go1.26.3
 RUN apk add --no-cache git make gcc musl-dev linux-headers libseccomp-dev libseccomp-static bash ca-certificates && \
     mkdir -p /overlay/usr/local/bin
+# Bump in-toto-golang to v0.11.0 (GHSA-pmwq-pjrm-6p5r) and pin the OTLP
+# HTTP exporters to v${OTEL_SDK_VERSION} (CVE-2026-39882).
 RUN git clone --depth 1 --branch v${CONTAINERD_VERSION} https://github.com/containerd/containerd.git /src/containerd && \
     cd /src/containerd && \
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     for cmd in containerd ctr containerd-shim-runc-v2; do \
@@ -46,14 +57,15 @@ RUN git clone --depth 1 --branch v${RUNC_VERSION} https://github.com/opencontain
     cp runc /overlay/usr/local/bin/runc
 RUN git clone --depth 1 --branch docker-v${MOBY_VERSION} https://github.com/moby/moby.git /src/moby && \
     cd /src/moby && \
-    # Force the patched golang.org/x/net (HTTP/2 server header smuggling,
-    # CVE-2026-33814) and patched otel/sdk (CVE-2026-39883 PATH hijacking
-    # on BSD/Solaris) before vendoring + building dockerd/docker-proxy.
+    # Force patched x/net (CVE-2026-33814), otel SDK + OTLP HTTP exporters
+    # (CVE-2026-39882, CVE-2026-39883) before vendoring dockerd/docker-proxy.
     go get golang.org/x/net@v${XNET_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     go mod vendor && \
     CGO_ENABLED=0 go build -mod=vendor \
@@ -76,23 +88,22 @@ RUN git clone --depth 1 --branch v${DOCKER_CLI_VERSION} https://github.com/docke
       -tags "osusergo netgo static_build pkcs11" \
       -trimpath -ldflags "-s -w" \
       -o /overlay/usr/local/bin/docker ./cmd/docker
-# Rebuild docker-compose to clear golang.org/x/net <0.53 CVEs the upstream
-# v5.1.3 prebuilt vendors. github.com/docker/docker v28.5.2 remains as a
-# residual since compose has not yet migrated to github.com/moby/moby/v2;
-# the daemon we overlay above is moby v29.4.3 so the CVE-2026-34040 /
-# CVE-2026-33997 code paths are unreachable at runtime.
+# Rebuild docker-compose to clear x/net <0.53, OTLP HTTP exporter <1.43.0
+# (CVE-2026-39882), in-toto-golang <0.11.0 (GHSA-pmwq-pjrm-6p5r), and the
+# legacy github.com/docker/docker v28.5.2 (CVE-2026-33997/34040) that the
+# v5.1.3 upstream prebuilt vendors.
 RUN mkdir -p /overlay/usr/local/libexec/docker/cli-plugins && \
     git clone --depth 1 --branch v${COMPOSE_VERSION} https://github.com/docker/compose.git /src/compose && \
     cd /src/compose && \
-    # Compose still vendors github.com/docker/docker v28.5.2+incompatible
-    # (legacy module path) rather than github.com/moby/moby/v2 -- bump x/net,
-    # otel/sdk, and docker/docker so the embedded SBOM matches the daemon
-    # version we overlay.
     go get golang.org/x/net@v${XNET_VERSION} \
+           github.com/in-toto/in-toto-golang@v${IN_TOTO_VERSION} \
+           github.com/docker/docker@${DOCKER_LEGACY_VERSION} \
            go.opentelemetry.io/otel/sdk@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel@v${OTEL_SDK_VERSION} \
            go.opentelemetry.io/otel/trace@v${OTEL_SDK_VERSION} \
-           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} && \
+           go.opentelemetry.io/otel/metric@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v${OTEL_SDK_VERSION} \
+           go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v${OTEL_SDK_VERSION} && \
     go mod tidy && \
     CGO_ENABLED=0 go build \
       -trimpath -ldflags "-s -w -X github.com/docker/compose/v5/internal.Version=v${COMPOSE_VERSION}" \
diff --git a/generators/go/model/Dockerfile b/generators/go/model/Dockerfile
@@ -2,6 +2,12 @@ FROM node:24.15-alpine3.23 AS node
 
 FROM golang:1.26.3-alpine3.23
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 ENV YARN_CACHE_FOLDER=/.yarn
 ARG SENTRY_DSN
 ARG SENTRY_ENVIRONMENT=production
diff --git a/generators/go/sdk/Dockerfile b/generators/go/sdk/Dockerfile
@@ -42,6 +42,12 @@ FROM golang:1.26.3-alpine3.23
 
 WORKDIR /workspace
 
+# Go 1.26.3 ships the CVE-2026-33814 fix in h2_bundle.go but src/go.mod
+# still pins x/net v0.47.1; bump SBOM files to v0.53.0 to match the code.
+RUN sed -i 's|golang.org/x/net v0.47.1-[^ ]*|golang.org/x/net v0.53.0|' \
+        /usr/local/go/src/go.mod /usr/local/go/src/vendor/modules.txt && \
+    sed -i '/golang.org\/x\/net v0.47.1-/d' /usr/local/go/src/go.sum
+
 RUN apk update && apk upgrade --no-cache
 RUN apk add --no-cache ca-certificates git libstdc++
 RUN git config --global user.email "115122769+fern-api[bot]@users.noreply.github.com" && \
diff --git a/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml b/generators/go/sdk/changes/unreleased/cve-2026-33814-stdlib-sbom-patch.yml
@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Patch `/usr/local/go/src/go.mod`, `vendor/modules.txt`, and `go.sum` in
+    the go-sdk + go-model containers so they declare `golang.org/x/net
+    v0.53.0`. Go 1.26.3 already ships the CVE-2026-33814 fix in its bundled
+    `h2_bundle.go` (the HTTP/2 SETTINGS_MAX_FRAME_SIZE validation moved to
+    the top of `ForeachSetting`), but the stdlib SBOM still pins the
+    pre-fix x/net pseudo-version `v0.47.1-0.20260417*`. Bumping the SBOM
+    metadata to v0.53.0 makes grype reflect the patched code instead of
+    flagging the toolchain as vulnerable.
+  type: chore
diff --git a/generators/php/sdk/Dockerfile b/generators/php/sdk/Dockerfile
@@ -47,6 +47,20 @@ RUN for dir in \
       fi; \
     done
 
+# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g
+# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks.
+RUN for dir in \
+      /usr/local/lib/node_modules/npm/node_modules/ip-address; do \
+      if [ -d "$dir" ]; then \
+        rm -rf "$dir" && \
+        cd "$(dirname "$dir")" && \
+        curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \
+        tar -xzf ip-address-10.2.0.tgz && \
+        mv package ip-address && \
+        rm ip-address-10.2.0.tgz; \
+      fi; \
+    done
+
 RUN curl -fsSL https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/download/v3.94.2/php-cs-fixer.phar -o /usr/local/bin/php-cs-fixer \
     && chmod +x /usr/local/bin/php-cs-fixer \
     && php-cs-fixer --version
diff --git a/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/php/sdk/changes/unreleased/cve-2026-42338-ip-address.yml
@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=../../../../../fern-changes-yml.schema.json
+
+- summary: |
+    Patch the bundled `ip-address` to v10.2.0 in the php-sdk container to
+    address CVE-2026-42338 / GHSA-v2v4-37r5-5v8g (XSS in `Address6` HTML-
+    emitting methods). npm 11.12.1 (shipped with `node:24.15`) bundles
+    `ip-address@10.1.0` via `socks`; this overlays the published 10.2.0
+    tarball in place at image build time.
+  type: chore
diff --git a/generators/python/sdk/Dockerfile b/generators/python/sdk/Dockerfile
@@ -45,6 +45,20 @@ RUN for dir in \
       fi; \
     done
 
+# Patch ip-address to 10.2.0 to fix CVE-2026-42338 / GHSA-v2v4-37r5-5v8g
+# (XSS in Address6 HTML-emitting methods). npm bundles ip-address via socks.
+RUN for dir in \
+      /usr/local/lib/node_modules/npm/node_modules/ip-address; do \
+      if [ -d "$dir" ]; then \
+        rm -rf "$dir" && \
+        cd "$(dirname "$dir")" && \
+        curl -sL https://registry.npmjs.org/ip-address/-/ip-address-10.2.0.tgz -o ip-address-10.2.0.tgz && \
+        tar -xzf ip-address-10.2.0.tgz && \
+        mv package ip-address && \
+        rm ip-address-10.2.0.tgz; \
+      fi; \
+    done
+
 # Install ruff.
 RUN pip install ruff==0.15.7
 RUN ruff --version
@@ -53,6 +67,9 @@ RUN ruff --version
 ENV PYTHONPATH=${PYTHONPATH}:${PWD}
 ENV _TYPER_STANDARD_TRACEBACK=1
 
+# Upgrade pip to 26.1+ to address CVE-2025-8869, CVE-2026-3219, CVE-2026-6357,
+# and CVE-2026-1703 (self-update flaw running after wheel install).
+RUN pip3 install --upgrade pip==26.1
 # Keep in sync with the poetry-core version in pyproject.toml
 RUN pip3 install poetry==1.8.5
 RUN poetry config virtualenvs.create false
diff --git a/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml b/generators/python/sdk/changes/unreleased/cve-2026-42338-ip-address-and-pip-bump.yml
diff --git a/generators/ruby-v2/sdk/Dockerfile b/generators/ruby-v2/sdk/Dockerfile
diff --git a/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml b/generators/ruby-v2/sdk/changes/unreleased/patch-addressable-cve-2026-35611.yml
diff --git a/generators/swift/sdk/Dockerfile b/generators/swift/sdk/Dockerfile
diff --git a/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml b/generators/swift/sdk/changes/unreleased/cve-2026-42338-ip-address.yml
