docker: bump postgres from 18.4-alpine to 18.4-alpine#603
Conversation
Bumps postgres from 18.4-alpine to 18.4-alpine. --- updated-dependencies: - dependency-name: postgres dependency-version: 18.4-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
bgentry
left a comment
There was a problem hiding this comment.
🤖 Codex review: Security review looks good to me.
I reviewed this as a dependency-upgrade supply-chain/security pass for the dev postgres:18.4-alpine image digest refresh at head 5f0f82cd3b102fa5e7e4b678fc0500805563e1db.
Scope reviewed:
docker-compose.dev.yamlimage reference change.- Official Docker Hub
library/postgressource and pinned digest behavior. - Live Docker Hub manifest-list digest verification with
skopeo inspect --raw. - CI status, with the known Dependabot
riverprouiimage-publish/OIDC failure treated separately from dependency safety.
No blocking supply-chain issue found. The update keeps the image source on official Docker Hub library/postgres, keeps the same 18.4-alpine tag, and only refreshes the pinned dev Compose digest from sha256:96d56f7... to sha256:1b1689b....
I independently verified that the current raw manifest-list digest for docker.io/library/postgres:18.4-alpine is sha256:1b1689b20d16a014a3d195653381cf2caa75a41a92d93b255a9d6ea29fd353aa, matching the PR.
The remaining failed riverproui image checks are consistent with the known Dependabot OIDC/publish limitation, while the ordinary JS/Go checks and riverui image jobs passed.
Bumps postgres from 18.4-alpine to 18.4-alpine.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)