Update docker-compose dependencies#4469
Conversation
Automated Review —
|
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. Upstream release notes (per REVIEW.md)This PR bumps the
Notable bug fixes include race condition fixes in WAL replay, walsender shutdown improvements, and visibility map persistence during recovery. No regressions expected — this is a standard patch release. No dump/restore is required for users already on 18.x. The security fixes make this a recommended update. Full release notes: https://www.postgresql.org/docs/release/18.4/ |
4f22e07 to
9ac5e06
Compare
|
Reviewed the Upstream changes in this digest:
No regressions noted in the upstream release notes. No PII/secret exposure in the diff. This is a beneficial update — especially the replication and security fixes. 🤖 Generated with Claude Code |
9ac5e06 to
fa17234
Compare
Review:
|
fa17234 to
086b0e3
Compare
|
Reviewed: This digest update pulls in two upstream changes: 1. PostgreSQL 18.3 → 18.4 (2026-05-14)A critical security maintenance release fixing 14 CVEs, including:
Bug fixes include replication stability improvements (walsender shutdown, slotsync workers, checkpoint/multixact races), query planner corrections, MERGE isolation fixes, and updated tzdata (2026b). No breaking changes or regressions reported. Dump/restore not required for existing 18.x users. 2. Alpine 3.22 → 3.24 base image (2026-06-10)Standard Alpine base image refresh. Diff reviewOnly 🤖 Generated with Claude Code |
086b0e3 to
8556fac
Compare
Automated Review —
|
8556fac to
fdda836
Compare
Dependency Bump Review —
|
| CVE | Summary |
|---|---|
| CVE-2026-6479 | Unbounded recursion in startup packets — malicious client crash |
| CVE-2026-6473 | Integer overflows in memory allocation (buffer overflows, potential code execution) |
| CVE-2026-6476 | SQL injection in pg_createsubscriber |
| CVE-2026-6638 | SQL injection in logical replication origin checks |
| CVE-2026-6474 | Malicious time zone names causing crashes or memory disclosure |
| CVE-2026-6472 | Missing privilege check on multirange types |
| CVE-2026-6478 | Timing-safe string comparisons in authentication |
| CVE-2026-6477 | PQfn() buffer overflow risk (now deprecated) |
| CVE-2026-6475 | Path traversal in pg_basebackup / pg_rewind |
| CVE-2026-6637 | SQL injection in contrib/spi check_foreign_key() |
| CVE-2026-6575 | Faulty input in attribute MCV statistics restoration |
Notable bug fixes relevant to PeerDB
- Replication fixes: slotsync worker blocking standby promotion, walsender shutdown hangs, excessive slotsync logging, free space map persistence during recovery, visibility map bloating during incremental backup restore,
pg_stat_replicationpremature NULL lag reporting - Query correctness: nondeterministic collation handling,
array_aggcombining with null bitmaps, generated column fixes - Stability: parallel btree scan memory under-allocation, DSA page map sizing, multixact array indexing, pglz decompression buffer overread
Regression risk
PQfn()deprecation: Not used by PeerDB — no impact.- Foreign key deferrability fix: Only affects keys toggled between ENFORCED/NOT ENFORCED — unlikely to affect PeerDB's catalog schema.
- Collation behavior changes: Results are now more correct — no negative regression expected.
Verdict
No regressions identified. This is a security-critical update with 11 CVE fixes. The diff is limited to digest hash changes in docker-compose.yml and docker-compose-dev.yml. No PII or secret exposure. Safe to merge.
🤖 Generated with Claude Code
fdda836 to
6cd9f84
Compare
Review:
|
6cd9f84 to
a70af69
Compare
Review: postgres:18-alpine digest bumpReviewed the digest bump from PII/Secret checkNo concerns — the change is limited to Docker image digest strings. No logging, stdout, or stderr changes. Upstream changes in bumped rangeThis digest bump likely brings PostgreSQL 18.3/18.4 security and bug fixes on Alpine 3.23: PostgreSQL 18.4 (May 2026) — 12 CVEs fixed:
PostgreSQL 18.3 (Feb 2026) — out-of-cycle regression fix:
Alpine 3.23.4 (Apr 2026):
Regression riskNo regressions identified that would affect PeerDB's catalog usage. The 18.3 out-of-cycle release specifically fixes regressions that were introduced in 18.2, so this bump lands on a stable point. Verdict: Safe to merge. The bump brings significant security hardening with no expected impact on PeerDB. 🤖 Reviewed by Claude |
a70af69 to
0c6f2a4
Compare
Review:
|
0c6f2a4 to
bb6c9f1
Compare
|
Review: postgres:18-alpine digest bump — looks clean ✅ Reviewed per
No issues found. |
bb6c9f1 to
04096b2
Compare
Review:
|
04096b2 to
3679cca
Compare
Automated Review — CleanReviewed the PII/Secret exposure: None. Only Docker image digest hashes changed in Upstream regression check: The new digest (updated June 18, 2026) includes PostgreSQL 18.4 (released May 14, 2026), which brings:
Per the release notes: "No dump/restore is required for users running 18.X versions." No breaking changes or regressions identified. This is a beneficial security and stability update. |
❌ 1 Tests Failed:
View the top 1 failed test(s) by shortest run time
To view more test analytics, go to the Test Analytics Dashboard |
🔄 Flaky Test DetectedAnalysis: Mongo validation transiently read oplogMinRetentionHours as 23 despite the CI container being started with --oplogMinRetentionHours 24, while the same mongo setup passed in the 3 other matrix jobs — a startup/replica-set warmup race unrelated to this docker-compose dependency bump. ✅ Automatically retrying the workflow |
3679cca to
40dedbc
Compare
40dedbc to
52642d8
Compare
Review:
|
52642d8 to
3dca738
Compare
Review: postgres digest bump — clean ✅Change: Upstream changes reviewed:
Risk assessment: No known regressions in PostgreSQL 18.4. No breaking changes expected for PeerDB's catalog database usage. This is a strongly recommended security update. PII/secrets check: Diff only modifies image digest hashes — no risk of exposing sensitive information. 🤖 Reviewed by Claude |
🔄 Flaky Test DetectedAnalysis: The lone failure (1 of 2519 tests), TestRunPipeline_FilterStripsLines, died because a trivial ✅ Automatically retrying the workflow |
This PR contains the following updates:
96d56f7→1b1689bConfiguration
📅 Schedule: (in timezone Etc/UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.