deno/2.6.4-r0: cve remediation #77383
Merged
Chainguard Internal / elastic-build (eco-2-28)
succeeded
Jan 7, 2026 in 24m 37s
APKs built successfully
Build ID: ab0720e8-72ab-4291-8c9a-c08d66ad6ca0
Details
builds
x86_64 Logs
Click to expand
14.3.0-r9)
installing libgfortran-14 (14.3.0-r9)
installing gfortran-14 (14.3.0-r9)
installing libgfortran (15.2.0-r6)
installing gcc-14-default (14.3.0-r9)
installing wolfi-keys (1-r12)
installing libcrypto3 (3.6.0-r6)
installing libssl3 (3.6.0-r6)
installing apk-tools (2.14.10-r9)
installing libcrypt1 (2.42-r4)
installing busybox (1.37.0-r50)
installing wolfi-base (1-r7)
populating workspace /tmp/melange-workspace-4122569372 from deno
qemu: generating ssh key pairs for ephemeral VM
qemu: generating SSH host key for VM
qemu: generating base initramfs
image configuration:
contents:
build repositories: [https://apk.cgr.dev/chainguard]
runtime repositories: []
repositories: []
keyring: []
packages: [microvm-init]
installing wolfi-baselayout (20230201-r25)
installing ca-certificates-bundle (20251003-r0)
installing libgcc (15.2.0-r6)
installing glibc-locale-posix (2.42-r4)
installing glibc (2.42-r4)
installing ld-linux (2.42-r4)
installing gnutar-rmt (1.35-r7)
installing gnutar (1.35-r7)
installing libattr1 (2.5.2-r54)
installing attr (2.5.2-r54)
installing zlib (1.3.1.2-r0)
installing libzstd1 (1.5.7-r5)
installing xz (5.8.2-r0)
installing libcrypto3 (3.6.0-r6)
installing kmod (34.2-r42)
installing libmnl (1.0.5-r6)
installing libbz2-1 (1.0.8-r21)
installing libelf (0.194-r0)
installing libbpf (1.6.2-r0)
installing libverto (0.3.2-r6)
installing krb5-conf (1.0-r7)
installing libcom_err (1.47.3-r1)
installing keyutils-libs (1.6.3-r37)
installing libssl3 (3.6.0-r6)
installing krb5-libs (1.22.1-r1)
installing libtirpc (1.3.7-r1)
installing libpcre2-8-0 (10.47-r0)
installing libsepol (3.9-r1)
installing libselinux (3.9-r1)
installing libnftnl (1.3.1-r0)
installing xtables (1.8.11-r31)
installing libcap (2.77-r0)
installing iproute2 (6.17.0-r2)
installing libstdc++ (15.2.0-r6)
installing inih (62-r1)
installing liburcu (0.15.5-r0)
installing libblkid (2.41.3-r0)
installing libuuid (2.41.3-r0)
installing xfsprogs-core (6.18.0-r0)
installing xfsprogs (6.18.0-r0)
installing libmount (2.41.3-r0)
installing mount (2.41.3-r0)
installing ncurses-terminfo-base (6.6_p20251230-r0)
installing ncurses (6.6_p20251230-r0)
installing setarch (2.41.3-r0)
installing libfdisk (2.41.3-r0)
installing sqlite-libs (3.51.1-r0)
installing util-linux (2.41.3-r0)
installing libsmartcols (2.41.3-r0)
installing util-linux-misc (2.41.3-r0)
installing libxcrypt (4.5.2-r0)
installing libcrypt1 (2.42-r4)
installing linux-pam (1.7.1-r4)
installing openssh-keygen (10.2_p1-r3)
installing openssh-server-config (10.2_p1-r3)
installing openssh-server (10.2_p1-r3)
installing busybox (1.37.0-r50)
installing microvm-init (0.0.1-r15)
qemu: starting VM
qemu: waiting for SSH
conn read: read tcp 127.0.0.1:51922->127.0.0.1:44197: i/o timeout
qemu: meta-data=/dev/vda isize=512 agcount=8, agsize=1638400 blks
qemu: = sectsz=4096 attr=2, projid32bit=1
qemu: = crc=1 finobt=1, sparse=1, rmapbt=1
qemu: = reflink=1 bigtime=1 inobtcount=1 nrext64=1
qemu: = exchange=1 metadir=0
qemu: data = bsize=4096 blocks=13107200, imaxpct=25
qemu: = sunit=0 swidth=0 blks
qemu: naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1
qemu: log =internal log bsize=4096 blocks=16384, version=2
qemu: = sectsz=4096 sunit=1 blks, lazy-count=1
qemu: realtime =none extsz=4096 blocks=0, rtextents=0
qemu: = rgcount=0 rgsize=0 extents
qemu: = zoned=0 start=0 reserved=0
qemu: Discarding blocks...Done.
qemu: [INIT] Checking for init.d scripts...
qemu: [INIT] No /opt/melange/init.d directory (optional, skipping)
conn read: read tcp 127.0.0.1:51934->127.0.0.1:44197: i/o timeout
qemu: ssh-keygen: generating new host keys: RSA ECDSA
qemu: Server listening on 0.0.0.0 port 2223.
qemu: Server listening on 0.0.0.0 port 22.
qemu: VM started successfully, SSH server is up
qemu: Connection closed by 10.0.2.2 port 59390
qemu: verifying VM host key against pre-provisioned key
qemu: Accepted publickey for root from 10.0.2.2 port 59404 ssh2: ECDSA SHA256:V5ylBBtxL0f/Yk+PgNf+Cl9U5EmUWgcReLpmuLrALVU
qemu: VM host key successfully verified against pre-provisioned key
qemu: Connection closed by 10.0.2.2 port 59404
qemu: Accepted publickey for root from 10.0.2.2 port 59414 ssh2: ECDSA SHA256:V5ylBBtxL0f/Yk+PgNf+Cl9U5EmUWgcReLpmuLrALVU
qemu: Accepted publickey for root from 10.0.2.2 port 39244 ssh2: ECDSA SHA256:V5ylBBtxL0f/Yk+PgNf+Cl9U5EmUWgcReLpmuLrALVU
qemu: Accepted publickey for root from 10.0.2.2 port 59416 ssh2: ECDSA SHA256:V5ylBBtxL0f/Yk+PgNf+Cl9U5EmUWgcReLpmuLrALVU
qemu: running kernel version: 6.16.10-r2-qemu-generic #Chainguard SMP PREEMPT_DYNAMIC Fri Oct 3 22:31:32 UTC 2025
qemu: setting up local workspace
qemu: unmounting host workspace from guest
running the main test pipeline
deno 2.6.4 (stable, release, x86_64-unknown-linux-gnu)
v8 14.2.231.17-rusty
typescript 5.9.2
Test passed!
Deno: A modern JavaScript and TypeScript runtime
Usage: deno [OPTIONS] [COMMAND]
Commands:
Execution:
run Run a JavaScript or TypeScript program, or a task
deno run main.ts | deno run --allow-net=google.com main.ts | deno main.ts
serve Run a server
deno serve main.ts
task Run a task defined in the configuration file
deno task dev
repl Start an interactive Read-Eval-Print Loop (REPL) for Deno
eval Evaluate a script from the command line
Dependency management:
add Add dependencies
deno add jsr:@std/assert | deno add npm:express
install Installs dependencies either in the local project or globally to a bin directory
uninstall Uninstalls a dependency or an executable script in the installation root's bin directory
outdated Find and update outdated dependencies
approve-scripts Approve npm lifecycle scripts
remove Remove dependencies from the configuration file
Tooling:
bench Run benchmarks
deno bench bench.ts
check Type-check the dependencies
clean Remove the cache directory
compile Compile the script into a self contained executable
deno compile main.ts | deno compile --target=x86_64-unknown-linux-gnu
coverage Print coverage reports
deploy Manage and publish applications with Deno Deploy
doc Generate and show documentation for a module or built-ins
deno doc | deno doc --json | deno doc --html mod.ts
fmt Format source files
deno fmt | deno fmt main.ts
info Show info about cache or info related to source file
jupyter Deno kernel for Jupyter notebooks
lint Lint source files
init Initialize a new project
test Run tests
deno test | deno test test.ts
publish Publish the current working directory's package or workspace
upgrade Upgrade deno executable to given version
deno upgrade | deno upgrade 1.45.0 | deno upgrade canary
Environment variables:
Docs: https://docs.deno.com/go/env-vars
DENO_AUTH_TOKENS A semi-colon separated list of bearer tokens and hostnames
to use when fetching remote modules from private repositories
(e.g. "abcde12345@deno.land;54321edcba@github.com")
DENO_CACHE_DB_MODE Controls whether Web cache should use disk based or in-memory database.
DENO_CERT Load certificate authorities from PEM encoded file.
DENO_COMPAT Enable Node.js compatibility mode - extensionless imports, built-in
Node.js modules, CommonJS detection and more.
DENO_DIR Set the cache directory
DENO_INSTALL_ROOT Set deno install's output directory
(defaults to $HOME/.deno/bin)
DENO_KV_DB_MODE Controls whether Deno.openKv() API should use disk based or in-memory
database.
DENO_EMIT_CACHE_MODE Control if the transpiled sources should be cached.
DENO_NO_PACKAGE_JSON Disables auto-resolution of package.json.
DENO_NO_UPDATE_CHECK Set to disable checking if a newer Deno version is available
DENO_SERVE_ADDRESS Override address for Deno.serve
("tcp:0.0.0.0:8080", "unix:/tmp/deno.sock", or "vsock:1234:5678")
DENO_AUTO_SERVE If the entrypoint contains export default { fetch }, `deno run`
behaves like `deno serve`.
DENO_TLS_CA_STORE Comma-separated list of order dependent certificate stores.
Possible values: "system", "mozilla" (defaults to "mozilla")
DENO_TRACE_PERMISSIONS Environmental variable to enable stack traces in permission prompts.
DENO_USE_CGROUPS Use cgroups to determine V8 memory limit.
FORCE_COLOR Set force color output even if stdout isn't a tty.
HTTP_PROXY Proxy address for HTTP requests.
(module downloads, fetch)
HTTPS_PROXY Proxy address for HTTPS requests.
(module downloads, fetch)
NO_COLOR Set to disable color.
NO_PROXY Comma-separated list of hosts which do not use a proxy.
(module downloads, fetch)
NPM_CONFIG_REGISTRY URL to use for the npm registry.
DENO_TRUST_PROXY_HEADERS If specified, removes X-deno-client-address header when serving HTTP.
DENO_USR2_MEMORY_TRIM If specified, listen for SIGUSR2 signal to try and free memory (Linux only).
Docs: https://docs.deno.com
Standard Library: https://jsr.io/@std
Bugs: https://github.com/denoland/deno/issues
Discord: https://discord.gg/deno
qemu: sending shutdown signal
tests completed successfully
all tests passed
aarch64 Logs
Click to expand
ages/aarch64/deno-2.6.4-r1.apk -> packages/deno-2.6.4-r1/mal-scan.json
running command mal [--format=json --exit-extraction=false --min-risk=critical --min-file-risk=critical --quantity-increases-risk=true --output=packages/deno-2.6.4-r1/mal-scan.json scan packages/aarch64/deno-2.6.4-r1.apk]
command "mal" completed successfully
malcontent scan completed successfully for 1 APKs in 18s
creating packages tarball...
running command tar [-C packages -cf packages.tar .]
command "tar" completed successfully
packages.tar sha256sum: 23f09926137918a560a042f0007b67caf9be2a476f8a026af1d2234ecac688dc
sha256sum "23f09926137918a560a042f0007b67caf9be2a476f8a026af1d2234ecac688dc" written to /dev/termination-log
Built 1 packages, hash: 23f09926137918a560a042f0007b67caf9be2a476f8a026af1d2234ecac688dc, size: 56598528 bytes
uploading final packages tarball...
running command curl [-s --upload-file packages.tar -H Content-Type: application/octet-stream https://storage.googleapis.com/prod-bundle-staging/eco-2-28/aarch64/1767784881829345865-deno-2.6.4-r1.tar.gz?Expires=1767828081&GoogleAccessId=ebuild-456o8jve9m82pzkyd0rxyya%40prod-enforce-fabc.iam.gserviceaccount.com&Signature=JmIMgnT77o7agvTGS9%2FQM8O3ph2NAIDgxI%2FeB8PJb7YmGas78Eb3UkuKKVKIJ4lKwWCv4vwtEoP3dO19gOVW5alrGPlmCnCKH%2Fiy64gXcsxgV43pFLlG%2BE2muP8Sw3zV6QHxju95ehB50tWQgOVTGQz0k9phyqlRoQPxf1i%2Fc%2FO2ifGp2IQ126V%2FJVj1MVCY4fD58SwJ1TE%2FlSl4JcqNXZBFZEG4FdxyG18kLhe8A7F54yyX%2FEBcn99dkST4U6FhG1uFy%2FvaoZr9DzKw2w6gqih0EtNoUtFxOEbxqhxuhngCE9vyWAMOqdLOjUqV6ZCtwwfDr4y6HLranyf%2BHBBQMA%3D%3D]
command "curl" completed successfully
upload completed successfully
parsed env
using enhanced syft sbom melange runner
configuring puller identity "e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910"...
running command chainctl [auth login --audience apk.cgr.dev --identity e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910]
Successfully exchanged token.
Valid! Id: e2fa069c57acc83f3f2748a8bed50e44dff064dc/dcb8fb2f15475910
Updates are available for chainctl (current version: 0.2.189; latest: 0.2.190). To install, please run:
$ chainctl update
command "chainctl" completed successfully
puller identity configured successfully
puller identity configured successfully
running tests...
running command /usr/bin/dind [dockerd] in background
command "/usr/bin/dind" started successfully
running command bash [-c
# Retry up to 60 seconds to wait for docker to start.
worked=false
for i in $(seq 60); do
if docker info >/dev/null 2>&1; then
worked=true
break
fi
echo "docker healthcheck failed, docker is not ready, retrying... ($i/60 seconds so far)..."
sleep 1
done
if [ "$worked" = "false" ]; then
echo "Failed to start docker after 60 seconds"
exit 1
fi
]
command "bash" completed successfully
melange devel with runner docker is testing:
image configuration:
contents:
build repositories: []
runtime repositories: []
repositories: []
keyring: []
packages: [deno]
accounts:
runas:
users:
- uid=1000(build) gid=1000
groups:
- gid=1000(build) members=[build]
installing wolfi-baselayout (20230201-r25)
installing ca-certificates-bundle (20251003-r0)
installing glibc-locale-posix (2.42-r4)
installing ld-linux (2.42-r4)
installing glibc (2.42-r4)
installing libgcc (15.2.0-r6)
installing oldlibstdcxx-2.28 (8.5.0-r1)
installing libstdc++ (15.2.0-r6)
installing ct-manylinux-2.28-gcc-14 (1.28.0-r87)
installing ct-manylinux-2.28 (1.28.0-r87)
installing deno (2.6.4-r1)
installing gmp (6.3.0-r8)
installing mpfr (4.2.2-r2)
installing mpc (1.3.1-r7)
installing posix-cc-wrappers (2-r7)
installing isl (0.27-r4)
installing zlib (1.3.1.2-r0)
installing libzstd1 (1.5.7-r5)
installing libstdc++-14 (14.3.0-r9)
installing libstdc++-14-dev (14.3.0-r9)
installing libquadmath (15.2.0-r6)
installing openssf-compiler-options (20250904-r2)
installing binutils (2.45.1-r2)
installing libxcrypt (4.5.2-r0)
installing libxcrypt-dev (4.5.2-r0)
installing nss-db (2.42-r4)
installing nss-hesiod (2.42-r4)
installing linux-headers (6.18.3-r0)
installing glibc-dev (2.42-r4)
installing gcc-14 (14.3.0-r9)
installing libgfortran-14 (14.3.0-r9)
installing gfortran-14 (14.3.0-r9)
installing libgfortran (15.2.0-r6)
installing gcc-14-default (14.3.0-r9)
installing wolfi-keys (1-r12)
installing libcrypto3 (3.6.0-r6)
installing libssl3 (3.6.0-r6)
installing apk-tools (2.14.10-r9)
installing libcrypt1 (2.42-r4)
installing busybox (1.37.0-r50)
installing wolfi-base (1-r7)
layer digest: sha256:cad718c421dd8fb1d0ee372158e3ebe9c7dd7184696bc7ad7c5ea68556d24c23
layer diffID: sha256:2d50c96311af2aaccfa31284bf28c2b7e458a98f07cfd8af56f899445cf39683
saving OCI image locally: apko.local/cache:05014abf0efb19fdf75b2a999dca46e67e0f9c100ade14edf2135958e17d31b7
tagging local image apko.local/cache:05014abf0efb19fdf75b2a999dca46e67e0f9c100ade14edf2135958e17d31b7 as index.docker.io/library/melange:latest
populating workspace /tmp/melange-workspace-4173955049 from deno
running the main test pipeline
deno 2.6.4 (stable, release, aarch64-unknown-linux-gnu)
v8 14.2.231.17-rusty
typescript 5.9.2
Test passed!
Deno: A modern JavaScript and TypeScript runtime
Usage: deno [OPTIONS] [COMMAND]
Commands:
Execution:
run Run a JavaScript or TypeScript program, or a task
deno run main.ts | deno run --allow-net=google.com main.ts | deno main.ts
serve Run a server
deno serve main.ts
task Run a task defined in the configuration file
deno task dev
repl Start an interactive Read-Eval-Print Loop (REPL) for Deno
eval Evaluate a script from the command line
Dependency management:
add Add dependencies
deno add jsr:@std/assert | deno add npm:express
install Installs dependencies either in the local project or globally to a bin directory
uninstall Uninstalls a dependency or an executable script in the installation root's bin directory
outdated Find and update outdated dependencies
approve-scripts Approve npm lifecycle scripts
remove Remove dependencies from the configuration file
Tooling:
bench Run benchmarks
deno bench bench.ts
check Type-check the dependencies
clean Remove the cache directory
compile Compile the script into a self contained executable
deno compile main.ts | deno compile --target=x86_64-unknown-linux-gnu
coverage Print coverage reports
deploy Manage and publish applications with Deno Deploy
doc Generate and show documentation for a module or built-ins
deno doc | deno doc --json | deno doc --html mod.ts
fmt Format source files
deno fmt | deno fmt main.ts
info Show info about cache or info related to source file
jupyter Deno kernel for Jupyter notebooks
lint Lint source files
init Initialize a new project
test Run tests
deno test | deno test test.ts
publish Publish the current working directory's package or workspace
upgrade Upgrade deno executable to given version
deno upgrade | deno upgrade 1.45.0 | deno upgrade canary
Environment variables:
Docs: https://docs.deno.com/go/env-vars
DENO_AUTH_TOKENS A semi-colon separated list of bearer tokens and hostnames
to use when fetching remote modules from private repositories
(e.g. "abcde12345@deno.land;54321edcba@github.com")
DENO_CACHE_DB_MODE Controls whether Web cache should use disk based or in-memory database.
DENO_CERT Load certificate authorities from PEM encoded file.
DENO_COMPAT Enable Node.js compatibility mode - extensionless imports, built-in
Node.js modules, CommonJS detection and more.
DENO_DIR Set the cache directory
DENO_INSTALL_ROOT Set deno install's output directory
(defaults to $HOME/.deno/bin)
DENO_KV_DB_MODE Controls whether Deno.openKv() API should use disk based or in-memory
database.
DENO_EMIT_CACHE_MODE Control if the transpiled sources should be cached.
DENO_NO_PACKAGE_JSON Disables auto-resolution of package.json.
DENO_NO_UPDATE_CHECK Set to disable checking if a newer Deno version is available
DENO_SERVE_ADDRESS Override address for Deno.serve
("tcp:0.0.0.0:8080", "unix:/tmp/deno.sock", or "vsock:1234:5678")
DENO_AUTO_SERVE If the entrypoint contains export default { fetch }, `deno run`
behaves like `deno serve`.
DENO_TLS_CA_STORE Comma-separated list of order dependent certificate stores.
Possible values: "system", "mozilla" (defaults to "mozilla")
DENO_TRACE_PERMISSIONS Environmental variable to enable stack traces in permission prompts.
DENO_USE_CGROUPS Use cgroups to determine V8 memory limit.
FORCE_COLOR Set force color output even if stdout isn't a tty.
HTTP_PROXY Proxy address for HTTP requests.
(module downloads, fetch)
HTTPS_PROXY Proxy address for HTTPS requests.
(module downloads, fetch)
NO_COLOR Set to disable color.
NO_PROXY Comma-separated list of hosts which do not use a proxy.
(module downloads, fetch)
NPM_CONFIG_REGISTRY URL to use for the npm registry.
DENO_TRUST_PROXY_HEADERS If specified, removes X-deno-client-address header when serving HTTP.
DENO_USR2_MEMORY_TRIM If specified, listen for SIGUSR2 signal to try and free memory (Linux only).
Docs: https://docs.deno.com
Standard Library: https://jsr.io/@std
Bugs: https://github.com/denoland/deno/issues
Discord: https://discord.gg/deno
pod fdd3a0a33ec707405a82fddb6084165757e3884d52e27814d1dcb2edbc761de8 terminated
tests completed successfully
all tests passed
Indexes
https://apk.cgr.dev/chainguard-2.28-presubmit/492c390de80deab4cd0f760efae62dbd8c8d2190
Packages
- ✅ deno (success | 22m5s | x86_64 logs | aarch64 logs)
Tests
- ✅ deno (success | 18s | x86_64 logs | aarch64 logs)
More Observability
Command
cg build log \
--build-id ab0720e8-72ab-4291-8c9a-c08d66ad6ca0 \
--project prod-eco-8de7 \
--cluster elastic-pre \
--namespace pre-eco-2-28 \
--start 2026-01-07T11:19:17Z \
--end 2026-01-07T11:53:55Z
Loading