fix(security): Upgrade Go runner to 1.26, fix Python CVEs, harden remaining DHI images

[gafda]

Problem

Docker Scout scans revealed 18 HIGH-severity CVEs across KubeCodeRun images:

1. Go runner binary (shared by all 12 language images) was compiled with Go 1.24 from golang:1.24-alpine (non-DHI). This introduced 9 Go stdlib CVEs into every language image.
2. Python API dependencies had 8 HIGH CVEs across urllib3, python-multipart, and pyasn1.
3. Node.js xlsx package had an unfixable ReDoS vulnerability (CVE-2024-22363) with no upstream patch.
4. DHI gcc-14-base conflict prevented gfortran, r-base-core, and other packages from installing on DHI's debian-base:trixie-debian13-dev (DHI ships gcc-14-base=14.2.0-19dhi0 which conflicts with stock Debian's =14.2.0-19 requirement).
5. PHP image used dhi.io/php directly as the base, which made it impossible to install additional system libraries needed by PHP extensions (equivs doesn't work cleanly on the PHP image).
6. Build script did not pass the locally-built runner image to language builds, causing them to pull the default ghcr.io/aron-muon/kubecoderun-runner:latest (non-DHI, Go 1.24).

Solution

Runner: Go 1.24 → Go 1.26.3 (fixes 9 HIGH × 12 images = 108 CVE instances)

File	Change
docker/runner/Dockerfile	golang:1.24-alpine → dhi.io/golang:1.26-debian13-dev
docker/runner/go.mod	go 1.24 → go 1.26.3

CVEs fixed: CVE-2026-42499, CVE-2026-39836, CVE-2026-39820, CVE-2026-33814, CVE-2026-33811, CVE-2026-32283, CVE-2026-32281, CVE-2026-32280, CVE-2026-25679

Python API: Dependency upgrades (fixes 8 HIGH CVEs)

File	Change
pyproject.toml	python-multipart>=0.0.27, added urllib3>=2.7.0, added pyasn1>=0.6.3
uv.lock	Regenerated (urllib3 2.3.0→2.7.0, python-multipart 0.0.21→0.0.29, pyasn1 0.6.1→0.6.3)

Node.js: Remove unfixable package (fixes 1 HIGH CVE)

File	Change
docker/requirements/nodejs.txt	Removed xlsx (CVE-2024-22363, ReDoS, no upstream fix); exceljs already provides equivalent functionality

DHI gcc-14-base conflict resolution

File	Change
docker/fortran.Dockerfile	Equivs dummy package satisfies gcc-14-base (= 14.2.0-19) constraint; installs gfortran-12 instead of gfortran
docker/r.Dockerfile	Same equivs approach; simplified from 2-stage to single-stage; installs r-base-core only (not r-base-dev)
docker/c-cpp.Dockerfile	Removed libgsl-dev, libblas-dev, liblapack-dev (trigger the conflict; users needing BLAS/LAPACK can use the bash image)

PHP image: Restructured to debian-base + PHP binary copy

File	Change
docker/php.Dockerfile	Rewrote: copies PHP binaries from dhi.io/php:8.5.6-debian13-dev into dhi.io/debian-base:trixie-debian13-dev; adds libonig5 runtime dep + ldconfig

Bash image: Added utilities

File	Change
docker/bash.Dockerfile	Added bc (floating-point math), added yq v4.53.2 (YAML/JSON/XML processor, static Go binary)

Build infrastructure

File	Change
scripts/build-images.sh	Passes --build-arg RUNNER_IMAGE to all builds, ensuring language images use the locally-built DHI runner

Remaining Known Issues

Source	Severity	Notes
DHI python:3.13-debian13 base (3.13.13)	1 CRITICAL + 2 HIGH	CVE-2026-6100, CVE-2026-3298, CVE-2026-4786 — affects only the API image

Mitigation path (NOT DONE): Upgrade the API Dockerfile from dhi.io/python:3.13-debian13 to dhi.io/python:3.14-debian13 (ships Python 3.14.5, which patches all 3 CVEs). The project already declares requires-python = ">=3.13" so 3.14 is compatible. Alternatively, wait for DHI to publish a patched python:3.13.14+ image.

Testing

All 12 language images tested with Mandelbrot fractal generation:

Language	Status	Time
Python	PASS	146ms
JavaScript	PASS	432ms
Go	PASS	9,434ms
Java	PASS	1,810ms
Rust	PASS	1,429ms
C	PASS	278ms
C++	PASS	654ms
Fortran	PASS	339ms
R	PASS	451ms
D	PASS	939ms
PHP	PASS	137ms
Bash	PASS	493ms

Docker Scout scan (post-rebuild): 0 CVEs on all language images.

[aron-muon]

Perfect thank you!

[github-actions]

🎉 This PR is included in version 3.6.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀