Dec. 2025 security update

[hippogr]

Dec. 2025 security update

[Copilot]

Pull request overview

This pull request implements a comprehensive December 2025 security update across multiple components of the system, updating Docker, Go toolchains, Node.js dependencies, and Python packages to address security vulnerabilities.

Key Changes:

• Update Docker and Docker Compose versions in webportal-dind installer
• Upgrade Go toolchains from 1.24.2/1.24.3 to 1.24.9 across multiple services
• Update Node.js dependencies including Express, body-parser, js-yaml, and validator
• Update Kubernetes dependencies and device plugin implementations
• Add security patches and upgrade pip before installing Python dependencies

Reviewed changes

Copilot reviewed 25 out of 31 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/webportal-dind/build/install.sh	Updates Docker, Docker Compose, and Buildx versions
src/watchdog/src/go.mod, src/watchdog/build/watchdog.common.dockerfile	Updates Go toolchain to 1.24.9
src/rest-server/yarn.lock, src/rest-server/package.json	Major dependency updates with version overrides
src/pylon/build/reverseproxy.common.dockerfile	Updates FRP version to 0.65.0 with multi-arch support
src/hivedscheduler/*	Updates Go toolchain and Kubernetes scheduler version
src/frameworkcontroller/*	Updates Go toolchain and removes unused dependencies
src/device-plugin/*	Rebuilds device plugins from source with updated dependencies
src/database-controller/src/package.json	Updates Express, body-parser, js-yaml with overrides
src/dashboard-data-backup/build/*	Adds pip upgrade before dependency installation
src/copilot-chat/src/requirements.txt	Adds fonttools security update
src/cluster-local-storage/build/*	Upgrades pip and adds urllib3 security patch
src/cluster-configuration/deploy/*	Updates Alpine base image to 3.21
src/alert-manager/*	Updates Express, nodemailer, and adds dependency overrides

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The package.json contains both "overrides" and "resolutions" fields with overlapping dependency version specifications. This creates redundancy and potential confusion. Consider consolidating these into a single mechanism (preferably "overrides" for npm/yarn 2+) or clearly documenting why both are needed.

Suggested change

	"mocha@* > glob": "10.5.0"
	},
	"resolutions": {
	"mocha@* > glob": "10.5.0",

[Copilot]

The FRP download URL uses the TARGETARCH variable directly, but FRP uses different architecture naming conventions. The TARGETARCH value for ARM is "arm64", but FRP releases typically use "amd64", "arm64", etc. You should add architecture mapping logic to ensure the correct FRP binary is downloaded for each platform (e.g., amd64 → amd64, arm64 → arm64). Without this, the build may fail for certain architectures.

[Copilot]

The curl invocation downloads and extracts the frp binary directly from GitHub without any integrity verification (checksum or signature) before incorporating it into the image. If the GitHub release, tag, or network path were compromised, an attacker could supply a malicious frpc binary that runs inside this reverse proxy container with its privileges. To harden the supply chain, pin to an immutable artifact (e.g., a specific release asset hash or commit) and verify its checksum or signature before extraction and use.

[Copilot]

These apk add commands install system packages from the Alpine edge/community repository over plain HTTP (http://dl-cdn.alpinelinux.org), which allows a network attacker to tamper with packages in transit. Because these packages are used to build and run a privileged device plugin, a man-in-the-middle on the build network could inject malicious binaries or libraries into the image. Switch the repository URL to HTTPS and ensure all package downloads use TLS so the packages are authenticated and protected from modification in transit.