chore(deps): update docker.io/library/eclipse-temurin docker tag to v25 #234

renovate · 2025-10-01T03:21:11Z

This PR contains the following updates:

Package	Type	Update	Change
docker.io/library/eclipse-temurin	final	major	`21-jre-noble` → `25-jre-noble`

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2025-10-01T03:24:49Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4	0	0	0.03s
✅ DOCKERFILE	hadolint	1	0	0	0.34s
✅ JSON	jsonlint	6	0	0	0.37s
✅ JSON	npm-package-json-lint	yes	no	no	0.77s
✅ JSON	prettier	6	0	0	0.62s
✅ JSON	v8r	6	0	0	10.62s
✅ MARKDOWN	markdownlint	2	0	0	0.64s
✅ MARKDOWN	markdown-table-formatter	2	0	0	0.37s
✅ REPOSITORY	checkov	yes	no	no	33.49s
✅ REPOSITORY	dustilock	yes	no	no	0.13s
✅ REPOSITORY	gitleaks	yes	no	no	0.39s
✅ REPOSITORY	git_diff	yes	no	no	0.01s
❌ REPOSITORY	grype	yes	2	no	51.25s
⚠️ REPOSITORY	kics	yes	no	1	38.92s
✅ REPOSITORY	secretlint	yes	no	no	1.69s
✅ REPOSITORY	syft	yes	no	no	4.51s
❌ REPOSITORY	trivy	yes	2	no	12.57s
✅ REPOSITORY	trivy-sbom	yes	no	no	1.02s
✅ REPOSITORY	trufflehog	yes	no	no	6.09s
✅ YAML	prettier	10	0	0	0.59s
✅ YAML	v8r	10	0	0	7.54s
✅ YAML	yamllint	10	0	0	0.87s

Detailed Issues

❌ REPOSITORY / grype - 2 errors

error: A high vulnerability in npm package: glob, version 10.4.5 was found at: /package-lock.json

error: A high vulnerability in npm package: tar, version 7.4.3 was found at: /package-lock.json

error: 2 errors emitted

❌ REPOSITORY / trivy - 2 errors

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ package-lock.json:1127:1
     │  
1127 │ ╭     "node_modules/minizlib/node_modules/glob": {
1128 │ │       "version": "10.4.5",
1129 │ │       "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
1130 │ │       "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
     · │
1145 │ │       }
1146 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: tar
Installed Version: 7.4.3
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ package-lock.json:1616:1
     │  
1616 │ ╭     "node_modules/tar": {
1617 │ │       "version": "7.4.3",
1618 │ │       "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz",
1619 │ │       "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==",
     · │
1631 │ │       }
1632 │ │     },
     │ ╰^
     │  
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails t ...
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

error: 2 errors emitted

⚠️ REPOSITORY / kics - 1 warning

warning: Dockerfile doesn't contain instruction 'HEALTHCHECK'
  ┌─ Dockerfile:1:1
  │
1 │ FROM docker.io/library/eclipse-temurin:25-jre-noble@sha256:ecbdcdbfae44ee61794a8ad36042b6b8e3c3124e5e9c171c3630fcd5ab856e33
  │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  │
  = Healthcheck Instruction Missing
  = Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working

warning: 1 warnings emitted

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

oxsecurity/megalinter/flavors/[email protected] (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

Documentation: Custom Flavors
Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/eclipse-temurin:21-jre-noble@sha256:20e7f7288e1c18eebe8f06a442c9f7183342d9b022d3b9a9677cae2b558ddddd
+FROM docker.io/library/eclipse-temurin:25-jre-noble@sha256:d8dd4342b7dbb5a9c06d0499eecca86315346acc6a20026080642610344ceb2c


github-actions · 2026-01-16T04:47:05Z

Trivy image scan report

`ghcr.io/miracum/ig-build-tools:pr-234 (ubuntu 24.04)`

No Vulnerabilities found

No Misconfigurations found

`Java`

11 known vulnerabilities found (CRITICAL: 0 HIGH: 4 MEDIUM: 6 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`ch.qos.logback:logback-core`	CVE-2024-12798	MEDIUM	1.2.13	1.5.13, 1.3.15
`ch.qos.logback:logback-core`	CVE-2025-11226	MEDIUM	1.2.13	1.5.19, 1.3.16
`ch.qos.logback:logback-core`	CVE-2024-12801	LOW	1.2.13	1.5.13, 1.3.15
`com.nimbusds:nimbus-jose-jwt`	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
`commons-beanutils:commons-beanutils`	CVE-2025-48734	HIGH	1.9.4	1.11.0
`org.apache.commons:commons-lang3`	CVE-2025-48924	MEDIUM	3.14.0	3.18.0
`org.fhir:ucum`	CVE-2024-55887	HIGH	1.0.3	1.0.9
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli`	CVE-2024-52807	HIGH	1.7.1	1.7.4
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli`	CVE-2025-24363	MEDIUM	1.7.1	1.8.9
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.core`	CVE-2024-52807	HIGH	1.7.1	1.7.4
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.core`	CVE-2025-24363	MEDIUM	1.7.1	1.8.9

No Misconfigurations found

`Node.js`

1 known vulnerabilities found (HIGH: 1 MEDIUM: 0 LOW: 0 CRITICAL: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`glob`	CVE-2025-64756	HIGH	10.4.5	11.1.0, 10.5.0

No Misconfigurations found

`Ruby`

No Vulnerabilities found

No Misconfigurations found

`root/.dotnet/tools/.store/firely.terminal/3.4.0/firely.terminal/3.4.0/tools/net8.0/any/Firely.Terminal.deps.json`

No Vulnerabilities found

No Misconfigurations found

github-actions · 2026-01-19T21:52:23Z

Trivy image scan report

`ghcr.io/miracum/ig-build-tools:pr-234 (ubuntu 24.04)`

No Vulnerabilities found

No Misconfigurations found

`Java`

11 known vulnerabilities found (CRITICAL: 0 HIGH: 4 MEDIUM: 6 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`ch.qos.logback:logback-core`	CVE-2024-12798	MEDIUM	1.2.13	1.5.13, 1.3.15
`ch.qos.logback:logback-core`	CVE-2025-11226	MEDIUM	1.2.13	1.5.19, 1.3.16
`ch.qos.logback:logback-core`	CVE-2024-12801	LOW	1.2.13	1.5.13, 1.3.15
`com.nimbusds:nimbus-jose-jwt`	CVE-2025-53864	MEDIUM	9.37.3	10.0.2, 9.37.4
`commons-beanutils:commons-beanutils`	CVE-2025-48734	HIGH	1.9.4	1.11.0
`org.apache.commons:commons-lang3`	CVE-2025-48924	MEDIUM	3.14.0	3.18.0
`org.fhir:ucum`	CVE-2024-55887	HIGH	1.0.3	1.0.9
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli`	CVE-2024-52807	HIGH	1.7.1	1.7.4
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.cli`	CVE-2025-24363	MEDIUM	1.7.1	1.8.9
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.core`	CVE-2024-52807	HIGH	1.7.1	1.7.4
`org.hl7.fhir.publisher:org.hl7.fhir.publisher.core`	CVE-2025-24363	MEDIUM	1.7.1	1.8.9

No Misconfigurations found

`Node.js`

2 known vulnerabilities found (LOW: 0 CRITICAL: 0 HIGH: 2 MEDIUM: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`glob`	CVE-2025-64756	HIGH	10.4.5	11.1.0, 10.5.0
`tar`	CVE-2026-23745	HIGH	7.4.3	7.5.3

No Misconfigurations found

`Ruby`

No Vulnerabilities found

No Misconfigurations found