Skip to content

fix(docker): bump OPA and EOPA versions to address CVEs#906

Open
EliMoshkovich wants to merge 1 commit into
masterfrom
PER-14697-bump-opa-eopa-fix-cves
Open

fix(docker): bump OPA and EOPA versions to address CVEs#906
EliMoshkovich wants to merge 1 commit into
masterfrom
PER-14697-bump-opa-eopa-fix-cves

Conversation

@EliMoshkovich

@EliMoshkovich EliMoshkovich commented May 4, 2026

Copy link
Copy Markdown
Contributor

Summary

  • OPA: 1.9.0-static1.16.1-static — fixes CVE-2025-68121 (golang/stdlib@1.25.1, built with Go 1.26.2)
  • EOPA: v1.44.0v1.45.1 — bumped to latest available release

Resolved CVEs

CVE Image Dependency Fix
CVE-2025-68121 permitio/opal-client golang/stdlib@1.25.1 OPA 1.16.1 built with Go 1.26.2 (>= required 1.25.7)

Unresolved CVEs

CVE Image Dependency Required fix
CVE-2026-33815 permitio/opal-client-eopa jackc/pgx/v5@5.7.6 pgx >= 5.9.0
CVE-2026-33816 permitio/opal-client-eopa jackc/pgx/v5@5.7.6 pgx >= 5.9.0

Why are these unresolved?
The pgx/v5 dependency is internal to Enterprise OPA (EOPA), which is a closed-source binary from Styra. Both EOPA v1.44.0 and v1.45.1 (latest available release with published binaries) ship pgx v5.7.6 — confirmed by inspecting the embedded Go module info (go version -m) in both binaries. A new EOPA release from Styra with updated dependencies is required to resolve these CVEs.

Test plan

  • Verify opal-client image builds successfully with OPA 1.16.1
  • Verify opal-client-eopa image builds successfully with EOPA v1.45.1
  • Run e2e tests to confirm OPA health check and data API work as expected
  • After build, rescan images with Docker Scout to confirm CVE-2025-68121 is resolved

🤖 Generated with Claude Code

- OPA: 1.9.0-static -> 1.16.1-static (fixes CVE-2025-68121, golang/stdlib)
- EOPA: v1.44.0 -> v1.45.1 (latest available release)

Note: CVE-2026-33815 and CVE-2026-33816 (jackc/pgx/v5@5.7.6) remain
unresolved — EOPA v1.45.1 still ships pgx v5.7.6 (fix requires >= 5.9.0).
A new EOPA release from Styra is needed.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@linear

linear Bot commented May 4, 2026

Copy link
Copy Markdown

@netlify

netlify Bot commented May 4, 2026

Copy link
Copy Markdown

Deploy Preview for opal-docs canceled.

Name Link
🔨 Latest commit 724c93b
🔍 Latest deploy log https://app.netlify.com/projects/opal-docs/deploys/69f8db5448be3a000831c0bb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants