RayLabsHQ/gitea-mirror v3.15.2

on GitHub

What's Changed

Security patch release — bumps runtime versions and resolves 13 of the 15 open CVEs flagged by Docker Scout.

Runtime bumps

• oven/bun base image: 1.3.10 → 1.3.12
• Go (used to rebuild git-lfs from source): 1.25.8 → 1.25.9
  • Resolves CVE-2026-32280, CVE-2026-32281, CVE-2026-32283 (Go stdlib TLS / DoS issues in git-lfs)

NPM dependency patches

• drizzle-orm → ^0.45.2 (CVE-2026-39356)
• defu override → ^6.1.7 (CVE-2026-35209)
• @xmldom/xmldom override → ^0.8.12 (CVE-2026-34601)
• picomatch override → ^4.0.4 (CVE-2026-33671, both direct and anymatch-nested copies)
• kysely override → ^0.28.16 (CVE-2026-33442, CVE-2026-33468)
• lodash override → ^4.18.1 (CVE-2026-4800)

System packages (Debian)

• openssl 3.5.5-1~deb13u1 → 3.5.5-1~deb13u2 via apt-get upgrade in the base stage (CVE-2026-28388, CVE-2026-28389, CVE-2026-28390)

Known residual

• CVE-2026-27135 (libnghttp2) — no upstream fix yet. Debian has not published a patched package. Will resolve automatically when it lands.

Verification

All 231 unit tests pass against the new dep set. bun run build succeeds.

Full Changelog: v3.15.1...v3.15.2