Docker: Fix CVEs in dependencies (#2675)

Signed-off-by: Viet Nguyen Duc <[email protected]>
SeleniumHQ · Feb 24, 2025 · 68cfb93 · 68cfb93
1 parent ceffc53
commit 68cfb93
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 13 deletions.
diff --git a/.github/workflows/release-chrome-versions.yml b/.github/workflows/release-chrome-versions.yml
@@ -60,6 +60,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions: write-all
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         browser-version: ${{ fromJSON(github.event.inputs.browser-versions)}}
@@ -106,8 +107,6 @@ jobs:
         run: |
           echo ${GRID_VERSION}
           echo "GRID_VERSION=${GRID_VERSION}" >> "$GITHUB_OUTPUT"
-      - name: Create CHANGELOG directory
-        run: mkdir -p ./CHANGELOG/${{ env.GRID_VERSION }}
       - name: Login Docker Hub
         run: docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
         env:

diff --git a/.github/workflows/release-edge-versions.yml b/.github/workflows/release-edge-versions.yml
@@ -60,6 +60,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions: write-all
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         browser-version: ${{ fromJSON(github.event.inputs.browser-versions)}}
@@ -106,8 +107,6 @@ jobs:
         run: |
           echo ${GRID_VERSION}
           echo "GRID_VERSION=${GRID_VERSION}" >> "$GITHUB_OUTPUT"
-      - name: Create CHANGELOG directory
-        run: mkdir -p ./CHANGELOG/${{ env.GRID_VERSION }}
       - name: Login Docker Hub
         run: docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
         env:
@@ -162,6 +161,8 @@ jobs:
           echo "GRID_VERSION=${GRID_VERSION}" >> $GITHUB_ENV
         env:
           GRID_VERSION: ${{ needs.deploy.outputs.GRID_VERSION }}
+      - name: Create CHANGELOG directory
+        run: mkdir -p ./CHANGELOG/${{ env.GRID_VERSION }}
       - name: Download results
         uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/release-firefox-versions.yml b/.github/workflows/release-firefox-versions.yml
@@ -60,6 +60,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions: write-all
     strategy:
+      max-parallel: 1
       fail-fast: false
       matrix:
         browser-version: ${{ fromJSON(github.event.inputs.browser-versions)}}
@@ -106,8 +107,6 @@ jobs:
         run: |
           echo ${GRID_VERSION}
           echo "GRID_VERSION=${GRID_VERSION}" >> "$GITHUB_OUTPUT"
-      - name: Create CHANGELOG directory
-        run: mkdir -p ./CHANGELOG/${{ env.GRID_VERSION }}
       - name: Login Docker Hub
         run: docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
         env:
@@ -162,6 +161,8 @@ jobs:
           echo "GRID_VERSION=${GRID_VERSION}" >> $GITHUB_ENV
         env:
           GRID_VERSION: ${{ needs.deploy.outputs.GRID_VERSION }}
+      - name: Create CHANGELOG directory
+        run: mkdir -p ./CHANGELOG/${{ env.GRID_VERSION }}
       - name: Download results
         uses: actions/download-artifact@v4
         with:

diff --git a/Base/Dockerfile b/Base/Dockerfile
@@ -9,11 +9,11 @@ ARG RELEASE=selenium-${VERSION}
 ARG MVN_SELENIUM_VERSION
 # Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/MODULE.bazel)
 ARG OPENTELEMETRY_VERSION=1.46.0
-ARG GRPC_VERSION=1.69.0
-ARG NETTY_VERSION=4.1.117.Final
+ARG GRPC_VERSION=1.70.0
+ARG NETTY_VERSION=4.1.118.Final
 ARG CS_VERSION=2.1.18
 ARG POSTGRESQL_VERSION=42.7.5
-ARG ENVSUBST_VERSION=1.4.2
+ARG ENVSUBST_VERSION=1.4.2-patch.124
 
 #Arguments to define the user running Selenium
 ARG SEL_USER=seluser
@@ -122,6 +122,8 @@ RUN --mount=type=secret,id=SEL_PASSWD \
         io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \
         io.grpc:grpc-netty:${GRPC_VERSION} \
         io.netty:netty-codec-http:${NETTY_VERSION} \
+        io.netty:netty-handler:${NETTY_VERSION} \
+        io.netty:netty-common:${NETTY_VERSION} \
         > /external_jars/.classpath.txt \
         && chmod 664 /external_jars/.classpath.txt \
         && java -jar /tmp/cs fetch --classpath --cache /external_jars \
@@ -159,7 +161,7 @@ COPY --chown="${SEL_UID}:${SEL_GID}" certs/tls.crt certs/tls.key certs/server.jk
 # Add envsubst binary
 #===================================================
 RUN ARCH=$(if [ "$(dpkg --print-architecture)" = "amd64" ]; then echo "x86_64"; else echo "$(dpkg --print-architecture)"; fi) \
-    && curl -fsSL https://github.com/a8m/envsubst/releases/download/v${ENVSUBST_VERSION}/envsubst-$(uname -s)-${ARCH} -o envsubst \
+    && curl -fsSL https://github.com/NDViet/envsubst/releases/download/v${ENVSUBST_VERSION}/envsubst-$(uname -s)-${ARCH} -o envsubst \
     && chmod +x envsubst \
     && mv envsubst /usr/local/bin \
     && ln -sf /usr/local/bin/envsubst /usr/bin/envsubst

diff --git a/tests/build-backward-compatible/bootstrap.sh b/tests/build-backward-compatible/bootstrap.sh
@@ -24,6 +24,8 @@ IFS=',' read -ra VERSION_LIST <<< "$CDP_VERSIONS"
 
 mkdir -p CHANGELOG/${SELENIUM_VERSION}
 
+python3 tests/build-backward-compatible/fetch_version.py
+
 for CDP_VERSION in "${VERSION_LIST[@]}"; do
   python3 tests/build-backward-compatible/builder.py ${SELENIUM_VERSION} ${CDP_VERSION} ${BROWSER}
   export $(cat .env | xargs)

diff --git a/tests/build-backward-compatible/browser-matrix.yml b/tests/build-backward-compatible/browser-matrix.yml
@@ -1,7 +1,7 @@
 matrix:
   browser:
     '135':
-      FIREFOX_VERSION: null
+      FIREFOX_VERSION: 135.0.1
       FIREFOX_DOWNLOAD_URL: https://download-installer.cdn.mozilla.net/pub/firefox/nightly/2025/01/2025-01-06-09-47-46-mozilla-central/firefox-135.0a1.en-US.linux-aarch64.deb
       FIREFOX_PLATFORMS: linux/amd64,linux/arm64
     '134':

diff --git a/tests/charts/make/chart_setup_env.sh b/tests/charts/make/chart_setup_env.sh
@@ -171,9 +171,9 @@ GOBIN=$HOME/go/bin go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest
 $HOME/go/bin/helm-docs -h || true
 echo "==============================="
 echo "Installing envsubst for AMD64 / ARM64"
-ENVSUBST_VERSION="v1.4.2"
+ENVSUBST_VERSION="1.4.2-patch.124"
 ARCH=$(if [ "$(dpkg --print-architecture)" = "amd64" ]; then echo "x86_64"; else echo "$(dpkg --print-architecture)"; fi)
-curl -fsSL https://github.com/a8m/envsubst/releases/download/${ENVSUBST_VERSION}/envsubst-$(uname -s)-${ARCH} -o envsubst
+curl -fsSL https://github.com/NDViet/envsubst/releases/download/v${ENVSUBST_VERSION}/envsubst-$(uname -s)-${ARCH} -o envsubst
 chmod +x envsubst
 sudo mv envsubst /usr/local/bin
 sudo ln -sf /usr/local/bin/envsubst /usr/bin/envsubst