Docker: Update Chromium to 141.0.7390.65 (#809)

Proximyst · web-flow · commit e01e26736d8f · 2025-10-13T13:37:13.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 4.0.18 (2025-10-13)
+
+- Docker: Update Chromium to 141.0.7390.65 (CVE-2025-11458, CVE-2025-11460, CVE-2025-11211), [#809](https://github.com/grafana/grafana-image-renderer/pull/809), [Proximyst](https://github.com/Proximyst)
+
 ## 4.0.17 (2025-10-09)
 
 - fix: assert no path traversal in renders (CVE-2025-11539), [#801](https://github.com/grafana/grafana-image-renderer/pull/801), [Proximyst](https://github.com/Proximyst), [KristianGrafana](https://github.com/KristianGrafana)
diff --git a/Dockerfile b/Dockerfile
@@ -5,32 +5,32 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 # If we ever need to bust the cache, just change the date here.
 # While we don't cache anything in Drone, that might not be true when we migrate to GitHub Actions where some action might automatically enable layer caching.
 # This is fine, but is terrible in situations where we want to _force_ an update of a package.
-RUN echo 'cachebuster 2025-10-06' && apt-get update
+RUN echo 'cachebuster 2025-10-13' && apt-get update
 
 FROM debian-updated AS debs
 
-ARG CHROMIUM_VERSION=141.0.7390.54
+ARG CHROMIUM_VERSION=141.0.7390.65
 RUN apt-cache depends chromium=${CHROMIUM_VERSION} chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash util-linux openssl tini ca-certificates locales libnss3-tools \
-    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
-    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
+  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM debian:testing-slim@sha256:12ce5b90ca703a11ebaae907649af9b000e616f49199a2115340e0cdf007e42a AS ca-certs
 
 RUN apt-get update
 RUN apt-cache depends ca-certificates \
-    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
-    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
+  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 # While we can't move to Debian 13 yet for the final image, use its new build of busybox with security fixes.
 FROM debian:13-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb AS busybox
 
 RUN apt-get update
 RUN apt-cache depends busybox-static \
-    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
-    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
+  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM node:22-alpine@sha256:1b2479dd35a99687d6638f5976fd235e26c5b37e8122f786fcd5fe231d63de5b AS build
 
@@ -85,4 +85,4 @@ EXPOSE 8081
 ENTRYPOINT ["tini", "--", "/nodejs/bin/node"]
 CMD ["build/app.js", "server", "--config=config.json"]
 HEALTHCHECK --interval=10s --retries=3 --timeout=3s \
-    CMD ["wget", "-O-", "-q", "http://localhost:8081/"]
+  CMD ["wget", "-O-", "-q", "http://localhost:8081/"]
diff --git a/go.Dockerfile b/go.Dockerfile
@@ -11,10 +11,10 @@ WORKDIR /src
 COPY . ./
 
 RUN --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build \
-    -o grafana-image-renderer \
-    -buildvcs \
-    -ldflags '-s -w -extldflags "-static"' \
-    .
+  -o grafana-image-renderer \
+  -buildvcs \
+  -ldflags '-s -w -extldflags "-static"' \
+  .
 
 FROM debian:12-slim@sha256:b1a741487078b369e78119849663d7f1a5341ef2768798f7b7406c4240f86aef AS debs
 
@@ -25,19 +25,19 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 # This is fine, but is terrible in situations where we want to _force_ an update of a package.
 RUN echo 'cachebuster 2025-10-06' && apt-get update
 
-ARG CHROMIUM_VERSION=141.0.7390.54
+ARG CHROMIUM_VERSION=141.0.7390.65
 RUN apt-cache depends chromium=${CHROMIUM_VERSION} chromium-driver chromium-shell chromium-sandbox font-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-khmeros fonts-kacst fonts-freefont-ttf libxss1 unifont fonts-open-sans fonts-roboto fonts-inter bash busybox util-linux openssl tini ca-certificates locales libnss3-tools \
-    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
-    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
+  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM debian:testing-slim@sha256:12ce5b90ca703a11ebaae907649af9b000e616f49199a2115340e0cdf007e42a AS ca-certs
 
 RUN apt-get update
 RUN apt-cache depends ca-certificates \
-    --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
+  --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances --no-pre-depends | grep '^\w' | xargs apt-get download
 RUN mkdir /dpkg && \
-    find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
+  find . -type f -name '*.deb' -exec sh -c 'dpkg --extract "$1" /dpkg || exit 5' sh '{}' \;
 
 FROM gcr.io/distroless/base-debian12:nonroot AS output_image
 
@@ -71,4 +71,4 @@ EXPOSE 8081
 ENTRYPOINT ["tini", "--", "/usr/bin/grafana-image-renderer"]
 CMD ["server"]
 HEALTHCHECK --interval=10s --retries=3 --timeout=3s --start-interval=250ms --start-period=30s \
-    CMD ["/usr/bin/grafana-image-renderer", "healthcheck"]
+  CMD ["/usr/bin/grafana-image-renderer", "healthcheck"]
diff --git a/plugin.json b/plugin.json
@@ -24,8 +24,8 @@
         "url": "https://github.com/grafana/grafana-image-renderer/blob/master/LICENSE"
       }
     ],
-    "version": "4.0.17",
-    "updated": "2025-10-09"
+    "version": "4.0.18",
+    "updated": "2025-10-13"
   },
   "dependencies": {
     "grafanaDependency": ">=11.3.8"
