Merge branch 'main' into dependabot/github_actions/docker/login-action-4.0.0

anthony-nhs · web-flow · commit 056631a9be19 · 2026-03-11T16:57:10.000Z
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -1,6 +1,6 @@
 shellcheck 0.11.0
 direnv 2.37.1
-actionlint 1.7.10
+actionlint 1.7.11
 ruby 3.3.0
 trivy 0.69.3
-yq 4.52.2
+yq 4.52.4
diff --git a/src/base_node/node_24/.devcontainer/.tool-versions b/src/base_node/node_24/.devcontainer/.tool-versions
@@ -1 +1 @@
-nodejs 24.13.0
+nodejs 24.14.0
diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
@@ -360,3 +360,30 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-09-09
+  - id: CVE-2026-25679
+    statement: "url.Parse insufficiently validated the host/authority component and ac ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27142
+    statement: "Actions which insert URLs into the content attribute of HTML meta tags ..."
+    purls:
+      - "pkg:golang/stdlib@v1.16.15"
+      - "pkg:golang/stdlib@v1.23.4"
+      - "pkg:golang/stdlib@v1.24.4"
+      - "pkg:golang/stdlib@v1.24.9"
+      - "pkg:golang/stdlib@v1.25.5"
+      - "pkg:golang/stdlib@v1.25.7"
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27137
+    statement: "When verifying a certificate chain which contains a certificate contai ..."
+    purls:
+      - "pkg:golang/stdlib@v1.26.0"
+    expired_at: 2026-09-11
diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml
@@ -63,3 +63,33 @@ vulnerabilities:
     purls:
       - "pkg:npm/tar@7.5.1"
     expired_at: 2026-09-09
+  - id: CVE-2026-26996
+    statement: "minimatch: minimatch: Denial of Service via specially crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27903
+    statement: "minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27904
+    statement: "minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions"
+    purls:
+      - "pkg:npm/minimatch@10.1.2"
+    expired_at: 2026-09-11
+  - id: CVE-2026-26960
+    statement: "tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-29786
+    statement: "node-tar: hardlink path traversal via drive-relative linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
+  - id: CVE-2026-31802
+    statement: "node-tar Symlink Path Traversal via Drive-Relative Linkpath"
+    purls:
+      - "pkg:npm/tar@7.5.7"
+    expired_at: 2026-09-11
diff --git a/src/languages/node_24_python_3_12/.devcontainer/.tool-versions b/src/languages/node_24_python_3_12/.devcontainer/.tool-versions
@@ -1,2 +1,2 @@
-python 3.12.12
+python 3.12.13
 poetry 2.3.2
diff --git a/src/languages/node_24_python_3_14_java_24/trivy.yaml b/src/languages/node_24_python_3_14_java_24/trivy.yaml
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/.tool-versions b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/.tool-versions
@@ -0,0 +1,2 @@
+golang 1.24.13
+golangci-lint 2.11.3
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/Dockerfile b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/Dockerfile
@@ -0,0 +1,39 @@
+ARG BASE_VERSION_TAG=latest
+ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${BASE_VERSION_TAG}
+
+FROM ${BASE_IMAGE}
+
+ARG SCRIPTS_DIR=/usr/local/share/eps
+ARG CONTAINER_NAME
+ARG MULTI_ARCH_TAG
+ARG BASE_VERSION_TAG
+ARG IMAGE_TAG
+ARG TARGETARCH
+
+ENV SCRIPTS_DIR=${SCRIPTS_DIR}
+ENV CONTAINER_NAME=${CONTAINER_NAME}
+ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
+ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
+ENV IMAGE_TAG=${IMAGE_TAG}
+ENV TARGETARCH=${TARGETARCH}
+
+LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
+LABEL org.opencontainers.image.version=${IMAGE_TAG}
+LABEL org.opencontainers.image.base.name=${BASE_IMAGE}
+LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
+
+USER root
+COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+RUN ./root_install.sh
+
+USER vscode
+
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+COPY .tool-versions /tmp/.tool-versions
+RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions
+
+RUN ./vscode_install.sh
+
+# Switch back to root to install the devcontainer CLI globally
+USER root
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/devcontainer.json
@@ -1,10 +1,10 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-    "name": "EPS Devcontainer node_24 python_3.14",
+    "name": "EPS Devcontainer node_24 python_3.14_golang_1.24",
     // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
     "build": {
-      "dockerfile": "../../../common_node_24/Dockerfile",
+      "dockerfile": "Dockerfile",
       "args": {
         "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}",
         "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}",
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/scripts/root_install.sh b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/scripts/root_install.sh
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/scripts/vscode_install.sh b/src/projects/node_24_python_3_14_golang_1_24/.devcontainer/scripts/vscode_install.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+asdf plugin add golang
+asdf plugin add golangci-lint
+
+asdf install
+
+# install cfn-lint
+pip install --user cfn-lint
diff --git a/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_golang_1_24/.trivyignore.yaml
@@ -0,0 +1,21 @@
+vulnerabilities:
+  - id: CVE-2026-23949
+    statement: "jaraco.context: jaraco.context: Path traversal via malicious tar archives"
+    purls:
+      - "pkg:pypi/jaraco.context@5.3.0"
+    expired_at: 2026-08-12
+  - id: CVE-2026-24049
+    statement: "wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking"
+    purls:
+      - "pkg:pypi/wheel@0.45.1"
+    expired_at: 2026-08-12
+  - id: CVE-2026-25679
+    statement: "url.Parse insufficiently validated the host/authority component and ac ..."
+    purls:
+      - "pkg:golang/stdlib@v1.24.13"
+    expired_at: 2026-09-11
+  - id: CVE-2026-27142
+    statement: "Actions which insert URLs into the content attribute of HTML meta tags ..."
+    purls:
+      - "pkg:golang/stdlib@v1.24.13"
+    expired_at: 2026-09-11
diff --git a/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml b/src/projects/node_24_python_3_14_golang_1_24/trivy.yaml
@@ -0,0 +1 @@
+ignorefile: "src/projects/node_24_python_3_14_golang_1_24/.trivyignore_combined.yaml"
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/.tool-versions b/src/projects/node_24_python_3_14_java_24/.devcontainer/.tool-versions
@@ -1,4 +1,2 @@
-python 3.14.3
-poetry 2.3.2
 java temurin-24.0.2+12
 maven 3.9.13
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/Dockerfile b/src/projects/node_24_python_3_14_java_24/.devcontainer/Dockerfile
@@ -0,0 +1,39 @@
+ARG BASE_VERSION_TAG=latest
+ARG BASE_IMAGE=ghcr.io/nhsdigital/eps-devcontainers/node_24_python_3_14:${BASE_VERSION_TAG}
+
+FROM ${BASE_IMAGE}
+
+ARG SCRIPTS_DIR=/usr/local/share/eps
+ARG CONTAINER_NAME
+ARG MULTI_ARCH_TAG
+ARG BASE_VERSION_TAG
+ARG IMAGE_TAG
+ARG TARGETARCH
+
+ENV SCRIPTS_DIR=${SCRIPTS_DIR}
+ENV CONTAINER_NAME=${CONTAINER_NAME}
+ENV MULTI_ARCH_TAG=${MULTI_ARCH_TAG}
+ENV BASE_VERSION_TAG=${BASE_VERSION_TAG}
+ENV IMAGE_TAG=${IMAGE_TAG}
+ENV TARGETARCH=${TARGETARCH}
+
+LABEL org.opencontainers.image.description="EPS devcontainer ${CONTAINER_NAME}:${IMAGE_TAG}"
+LABEL org.opencontainers.image.version=${IMAGE_TAG}
+LABEL org.opencontainers.image.base.name=${BASE_IMAGE}
+LABEL org.opencontainers.image.containerName=${CONTAINER_NAME}
+
+USER root
+COPY --chmod=755 scripts ${SCRIPTS_DIR}/${CONTAINER_NAME}
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+RUN ./root_install.sh
+
+USER vscode
+
+WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}
+COPY .tool-versions /tmp/.tool-versions
+RUN cat /tmp/.tool-versions >> /home/vscode/.tool-versions
+
+RUN ./vscode_install.sh
+
+# Switch back to root to install the devcontainer CLI globally
+USER root
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json b/src/projects/node_24_python_3_14_java_24/.devcontainer/devcontainer.json
@@ -0,0 +1,18 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
+{
+    "name": "EPS Devcontainer node_24 python_3.14_java_24",
+    // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+    "build": {
+      "dockerfile": "Dockerfile",
+      "args": {
+        "CONTAINER_NAME": "eps_devcontainer_${localEnv:CONTAINER_NAME}",
+        "MULTI_ARCH_TAG": "${localEnv:MULTI_ARCH_TAG}",
+        "BASE_VERSION_TAG": "${localEnv:BASE_VERSION_TAG}",
+        "IMAGE_TAG": "${localEnv:IMAGE_TAG}"
+      },
+      "context": "."
+    },
+    "features": {}
+  }
+  
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh b/src/projects/node_24_python_3_14_java_24/.devcontainer/scripts/root_install.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -e
+export DEBIAN_FRONTEND=noninteractive
+
+# clean up
+apt-get clean
+rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
diff --git a/src/projects/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh b/src/projects/node_24_python_3_14_java_24/.devcontainer/scripts/vscode_install.sh
@@ -1,12 +1,9 @@
 #!/usr/bin/env bash
 set -e
 
-asdf plugin add python
-asdf plugin add poetry https://github.com/asdf-community/asdf-poetry.git
 asdf plugin add java
 asdf plugin add maven
 
-asdf install python
 asdf install
 
 # install cfn-lint
diff --git a/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml b/src/projects/node_24_python_3_14_java_24/.trivyignore.yaml
diff --git a/src/projects/node_24_python_3_14_java_24/trivy.yaml b/src/projects/node_24_python_3_14_java_24/trivy.yaml
@@ -0,0 +1 @@
+ignorefile: "src/projects/node_24_python_3_14_java_24/.trivyignore_combined.yaml"

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-python 3.12.12`
	`1`	`+python 3.12.13`
`2`	`2`	`poetry 2.3.2`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+golang 1.24.13`
	`2`	`+golangci-lint 2.11.3`