Skip to content

[base-alpine] Use official git feature instead of local build #1763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
abdurriq merged 2 commits into from
Feb 3, 2026
Merged

[base-alpine] Use official git feature instead of local build #1763

abdurriq merged 2 commits into from
Feb 3, 2026
+10 −48

Conversation

@shokkunrf
Copy link
Contributor

@shokkunrf shokkunrf commented Jan 29, 2026

Ref

Target Image

  • base-alpine

Description of changes

  • Replace local git build script with official ghcr.io/devcontainers/features/git:1 feature, same as base-debian
  • The local git build script was likely introduced in PR Update 'git' to '2.39.1' due to CVE-2022-41903 & CVE-2022-23521 #331 to address CVE-2022-41903 and CVE-2022-23521
  • The official git feature now provides the same capability (building from source), so the local build script is no longer necessary

Changelog

  • Updated src/base-alpine/.devcontainer/devcontainer.json to use official git feature
  • Removed src/base-alpine/.devcontainer/local-features/git/ directory
  • Bumped version in src/base-alpine/manifest.json (3.0.1 → 3.0.2)

Verification

  • Devcontainer builds successfully
  • Git 2.52.0 installed at /usr/local/bin/git

@shokkunrf shokkunrf requested a review from a team as a code owner January 29, 2026 17:49
Copilot AI review requested due to automatic review settings January 29, 2026 17:49
Copilot AI reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the base-alpine image by replacing a local git build script with the official ghcr.io/devcontainers/features/git:1 feature. The local script was originally added to address git security vulnerabilities, but the official feature now provides equivalent functionality with better maintainability.

Changes:

  • Switched from local git feature to official devcontainers git feature
  • Removed local git build script and configuration files
  • Bumped patch version from 3.0.1 to 3.0.2

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/base-alpine/manifest.json Bumped version from 3.0.1 to 3.0.2
src/base-alpine/.devcontainer/devcontainer.json Replaced local git feature reference with official git feature configuration
src/base-alpine/.devcontainer/devcontainer-lock.json Added lock entry for official git feature
src/base-alpine/.devcontainer/local-features/git/install.sh Removed local git build script
src/base-alpine/.devcontainer/local-features/git/devcontainer-feature.json Removed local git feature metadata

@shokkunrf
Copy link
Contributor Author

shokkunrf commented Jan 30, 2026

@microsoft-github-policy-service agree

@abdurriq abdurriq merged commit 02294e7 into devcontainers:main Feb 3, 2026
2 checks passed
@abdurriq
Copy link
Contributor

abdurriq commented Feb 3, 2026

Thank you for catching and improving this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@abdurriq abdurriq abdurriq approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shokkunrf @abdurriq @Kaniska244