fix: coder uv and sdkman setup #456

chgl · 2026-02-11T18:45:41Z

No description provided.

github-actions · 2026-02-11T18:48:59Z

✅⚠️MegaLinter analysis: Success with warnings

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	6	0	0	0.04s
✅ DOCKERFILE	hadolint	8	0	0	0.56s
✅ EDITORCONFIG	editorconfig-checker	51	0	0	0.03s
✅ JSON	jsonlint	6	0	0	0.18s
✅ JSON	prettier	6	0	0	0.52s
✅ JSON	v8r	6	0	0	7.96s
⚠️ MARKDOWN	markdownlint	9	6	0	0.83s
✅ REPOSITORY	checkov	yes	no	no	22.35s
✅ REPOSITORY	gitleaks	yes	no	no	0.43s
✅ REPOSITORY	git_diff	yes	no	no	0.01s
⚠️ REPOSITORY	kics	yes	no	2	3.1s
✅ REPOSITORY	secretlint	yes	no	no	1.71s
✅ REPOSITORY	syft	yes	no	no	8.17s
⚠️ REPOSITORY	trivy	yes	11	5	12.87s
✅ REPOSITORY	trivy-sbom	yes	no	no	1.66s
✅ REPOSITORY	trufflehog	yes	no	no	13.76s
✅ YAML	prettier	9	0	0	0.38s
✅ YAML	v8r	9	0	0	7.76s
✅ YAML	yamllint	9	0	0	0.31s

Detailed Issues

⚠️ REPOSITORY / kics - 2 warnings

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/ml-on-fhir/Dockerfile:43:1
   │
43 │ COPY --chown=${NB_UID}:${NB_GID} requirements.txt /tmp/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: The 'Dockerfile' contains the 'chown' flag
   ┌─ images/hive-metastore/Dockerfile:30:1
   │
30 │ COPY --from=downloader --chown=0:0 /tmp/libs/*.jar /opt/hive/lib/
   │ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   │
   = Chown Flag Exists
   = It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership

warning: 2 warnings emitted

⚠️ MARKDOWN / markdownlint - 6 errors

images/dsf-bpe-full/CHANGELOG.md:141 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Description"]
images/dsf-bpe-full/CHANGELOG.md:144 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Versions:"]
images/dsf-bpe-full/CHANGELOG.md:144:13 MD026/no-trailing-punctuation Trailing punctuation in heading [Punctuation: ':']
images/dsf-bpe-full/CHANGELOG.md:145 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "* DFN CA certificate chain fro..."]
images/dsf-bpe-full/CHANGELOG.md:151:31 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Transfer" process ]"]
images/dsf-bpe-full/CHANGELOG.md:152:30 MD039/no-space-in-links Spaces inside link text [Context: "["MII Data Sharing" process ]"]

⚠️ REPOSITORY / trivy - 11 errors

error: Package: @isaacs/brace-expansion
Installed Version: 5.0.0
Vulnerability CVE-2026-25547
Severity: HIGH
Fixed Version: 5.0.1
Link: [CVE-2026-25547](https://avd.aquasec.com/nvd/cve-2026-25547)
     ┌─ images/semantic-release/package-lock.json:3443:1
     │  
3443 │ ╭     "node_modules/npm/node_modules/@isaacs/brace-expansion": {
3444 │ │       "version": "5.0.0",
3445 │ │       "inBundle": true,
3446 │ │       "license": "MIT",
     · │
3452 │ │       }
3453 │ │     },
     │ ╰^
     │  
     = brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion
     = @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

error: Package: glob
Installed Version: 10.4.5
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4800:1
     │  
4800 │ ╭     "node_modules/npm/node_modules/node-gyp/node_modules/glob": {
4801 │ │       "version": "10.4.5",
4802 │ │       "inBundle": true,
4803 │ │       "license": "ISC",
     · │
4817 │ │       }
4818 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

error: Package: glob
Installed Version: 11.0.3
Vulnerability CVE-2025-64756
Severity: HIGH
Fixed Version: 11.1.0, 10.5.0
Link: [CVE-2025-64756](https://avd.aquasec.com/nvd/cve-2025-64756)
     ┌─ images/semantic-release/package-lock.json:4202:1
     │  
4202 │ ╭     "node_modules/npm/node_modules/glob": {
4203 │ │       "version": "11.0.3",
4204 │ │       "inBundle": true,
4205 │ │       "license": "ISC",
     · │
4222 │ │       }
4223 │ │     },
     │ ╰^
     │  
     = glob: glob: Command Injection Vulnerability via Malicious Filenames
     = Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> are used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges. This issue has been patched in versions 10.5.0 and 11.1.0.

warning: Package: js-yaml
Installed Version: 4.1.0
Vulnerability CVE-2025-64718
Severity: MEDIUM
Fixed Version: 4.1.1, 3.14.2
Link: [CVE-2025-64718](https://avd.aquasec.com/nvd/cve-2025-64718)
     ┌─ images/semantic-release/package-lock.json:2874:1
     │  
2874 │ ╭     "node_modules/js-yaml": {
2875 │ │       "version": "4.1.0",
2876 │ │       "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz",
2877 │ │       "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==",
     · │
2884 │ │       }
2885 │ │     },
     │ ╰^
     │  
     = js-yaml: js-yaml prototype pollution in merge
     = js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

warning: Package: lodash
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
     ┌─ images/semantic-release/package-lock.json:2972:1
     │  
2972 │ ╭     "node_modules/lodash": {
2973 │ │       "version": "4.17.21",
2974 │ │       "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
2975 │ │       "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==",
2976 │ │       "license": "MIT"
2977 │ │     },
     │ ╰^
     │  
     = lodash: prototype pollution in _.unset and _.omit functions
     = Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
       
       The issue permits deletion of properties but does not allow overwriting their original behavior.
       
       This issue is patched on 4.17.23

warning: Package: lodash-es
Installed Version: 4.17.21
Vulnerability CVE-2025-13465
Severity: MEDIUM
Fixed Version: 4.17.23
Link: [CVE-2025-13465](https://avd.aquasec.com/nvd/cve-2025-13465)
     ┌─ images/semantic-release/package-lock.json:2978:1
     │  
2978 │ ╭     "node_modules/lodash-es": {
2979 │ │       "version": "4.17.21",
2980 │ │       "resolved": "https://registry.npmjs.org/lodash-es/-/lodash-es-4.17.21.tgz",
2981 │ │       "integrity": "sha512-mKnC+QJ9pWVzv+C4/U3rRsHapFfHvQFoFB92e52xeyGMcX6/OlIl78je1u8vePzYZSkkogMPJ2yjxxsb89cxyw==",
2982 │ │       "license": "MIT"
2983 │ │     },
     │ ╰^
     │  
     = lodash: prototype pollution in _.unset and _.omit functions
     = Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
       
       The issue permits deletion of properties but does not allow overwriting their original behavior.
       
       This issue is patched on 4.17.23

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23745
Severity: HIGH
Fixed Version: 7.5.3
Link: [CVE-2026-23745](https://avd.aquasec.com/nvd/cve-2026-23745)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
     = node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-23950
Severity: HIGH
Fixed Version: 7.5.4
Link: [CVE-2026-23950](https://avd.aquasec.com/nvd/cve-2026-23950)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
     = node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

error: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: [CVE-2026-24842](https://avd.aquasec.com/nvd/cve-2026-24842)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
     = node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

warning: Package: tar
Installed Version: 7.5.1
Vulnerability CVE-2025-64118
Severity: MEDIUM
Fixed Version: 7.5.2
Link: [CVE-2025-64118](https://avd.aquasec.com/nvd/cve-2025-64118)
     ┌─ images/semantic-release/package-lock.json:5408:1
     │  
5408 │ ╭     "node_modules/npm/node_modules/tar": {
5409 │ │       "version": "7.5.1",
5410 │ │       "inBundle": true,
5411 │ │       "license": "ISC",
     · │
5421 │ │       }
5422 │ │     },
     │ ╰^
     │  
     = node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
     = node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

warning: Package: undici
Installed Version: 5.29.0
Vulnerability CVE-2026-22036
Severity: MEDIUM
Fixed Version: 7.18.2, 6.23.0
Link: [CVE-2026-22036](https://avd.aquasec.com/nvd/cve-2026-22036)
     ┌─ images/semantic-release/package-lock.json:7375:1
     │  
7375 │ ╭     "node_modules/undici": {
7376 │ │       "version": "5.29.0",
7377 │ │       "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
7378 │ │       "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
     · │
7385 │ │       }
7386 │ │     },
     │ ╰^
     │  
     = undici: Undici: Denial of Service via excessive decompression steps
     = Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.

error: Artifact: images/apache-superset/Dockerfile
Type: dockerfile
Vulnerability DS017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS017](https://avd.aquasec.com/misconfig/ds017)
   ┌─ images/apache-superset/Dockerfile:8:1
   │  
 8 │ ╭ RUN <<EOF
 9 │

(Truncated to 13333 characters out of 16764)

See detailed reports in MegaLinter artifacts

You could have the same capabilities but better runtime performances if you use a MegaLinter flavor:

oxsecurity/megalinter/flavors/[email protected] (54 linters)
oxsecurity/megalinter/flavors/[email protected] (88 linters)

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

Documentation: Custom Flavors
Command: npx [email protected] --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,EDITORCONFIG_EDITORCONFIG_CHECKER,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

github-actions · 2026-02-11T19:34:56Z

Trivy image scan report

`ghcr.io/miracum/util-images/coder-base:pr-456 (ubuntu 24.04)`