chore(deps): update docker

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change	Pending
alpine	final	minor	3.20.3 -> 3.21.2	3.21.3
golang	final	patch	1.23.4-alpine -> 1.23.5-alpine	1.24.0-alpine (+1)
mcr.microsoft.com/dotnet/aspnet	final	digest	372b162 -> adc89f8
mcr.microsoft.com/dotnet/runtime-deps	final	patch	9.0.1-noble-chiseled -> 9.0.2-noble-chiseled
mcr.microsoft.com/dotnet/sdk	stage	digest	7d24e90 -> 7f8e8b1
mcr.microsoft.com/dotnet/sdk	stage	patch	9.0.101-noble -> 9.0.200-noble
node	stage	patch	20.18.1-alpine -> 20.18.2-alpine	20.18.3
python	final	minor	3.12.8-slim -> 3.13.2-slim
python	final	minor	3.12.8-alpine -> 3.13.1-alpine	3.13.2-alpine

---

Release Notes

dotnet/runtime (mcr.microsoft.com/dotnet/runtime-deps)

v9.0.2: .NET 9.0.2

Compare Source

Release

What's Changed

• [release/9.0-staging] Ensure Vector.Create is properly recognized as intrinsic by @​github-actions in https://github.com/dotnet/runtime/pull/109322
• [release/9.0-staging] Fix return address hijacking with CET by @​github-actions in https://github.com/dotnet/runtime/pull/109548
• [release/9.0] Fix FP state restore on macOS exception forwarding by @​github-actions in https://github.com/dotnet/runtime/pull/110163
• [release/9.0-staging] [debugger] Fix a step that becomes a go by @​github-actions in https://github.com/dotnet/runtime/pull/110533
• [release/9.0-staging] [debugger] Support step into a tail call by @​github-actions in https://github.com/dotnet/runtime/pull/110438
• [release/9.0-staging] Fix Tizen linux-armel build by @​github-actions in https://github.com/dotnet/runtime/pull/110614
• release/9.0-staging -- Update Alpine, Debian, and Fedora versions by @​richlander in https://github.com/dotnet/runtime/pull/110493
• [release/9.0-staging] JIT: Read back all replacements before statements with implicit EH control flow by @​github-actions in https://github.com/dotnet/runtime/pull/109143
• [release/9.0-staging] Fix crash when pTargetMD is null by @​github-actions in https://github.com/dotnet/runtime/pull/110652
• [release/9.0-staging] Avoid exception when parsing AD path for port number by @​github-actions in https://github.com/dotnet/runtime/pull/110224
• [release/9.0-staging] Fix System.Reflection.Emit SetChecksum creating invalid pdb by @​github-actions in https://github.com/dotnet/runtime/pull/110205
• [release/9.0] Use floating tag for webassembly image by @​github-actions in https://github.com/dotnet/runtime/pull/109374
• [release/9.0-staging] [Profiler] Avoid Recursive ThreadStoreLock in Profiling Thread Enumerator by @​github-actions in https://github.com/dotnet/runtime/pull/110665
• [release/9.0-staging] JIT: Include more edges in BlockDominancePreds to avoid a JIT crash by @​github-actions in https://github.com/dotnet/runtime/pull/110568
• [release/9.0-staging][wasm] Workaround incorrect mono restore when building WBT by @​lewing in https://github.com/dotnet/runtime/pull/110590
• [release/9.0-staging] Update dependencies from dotnet/sdk by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110532
• [release/9.0-staging] Update dependencies from dotnet/cecil by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110572
• [release/9.0-staging] Conditionally check the compiler flags in libs.native by @​github-actions in https://github.com/dotnet/runtime/pull/109556
• [TestOnly][release/9.0-staging] Fix TimeProvider Test by @​github-actions in https://github.com/dotnet/runtime/pull/111132
• [release/9.0-staging] [mono] Chain SIGSEGV native crashes to the default SIGSEGV handler by @​github-actions in https://github.com/dotnet/runtime/pull/110863
• [release/9.0-staging] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110905
• [release/9.0-staging] Exit the lock before we call into user code and handle losing the race for the RCW table by @​github-actions in https://github.com/dotnet/runtime/pull/111162
• [release/9.0-staging] Fix race condition when cancelling pending HTTP connection attempts by @​github-actions in https://github.com/dotnet/runtime/pull/110764
• [release/9.0-staging] Remove HttpMetricsEnrichmentContext caching by @​github-actions in https://github.com/dotnet/runtime/pull/110626
• [release/9.0-staging] Fix IDynamicInterfaceCastable with shared generic code by @​github-actions in https://github.com/dotnet/runtime/pull/109918
• [release/9.0-staging] Fix handling of IDynamicInterfaceCastable wrt CastCache by @​github-actions in https://github.com/dotnet/runtime/pull/110007
• [release/9.0-staging] ILC: Allow OOB reference to upgrade framework assembly by @​github-actions in https://github.com/dotnet/runtime/pull/110058
• [release/9.0-staging] Move ComWrappers AddRef to C/C++ by @​github-actions in https://github.com/dotnet/runtime/pull/110815
• [release/9.0-staging] [BrowserDebugProxy] Remove exception details from error report by @​github-actions in https://github.com/dotnet/runtime/pull/111202
• [release/9.0-staging] Fix reporting GC fields from base types by @​github-actions in https://github.com/dotnet/runtime/pull/111040
• [release/9.0-staging] Fix C++/CLI applications which use __declspec(appdomain) by @​github-actions in https://github.com/dotnet/runtime/pull/110495
• [release/9.0-staging] Fix calling convention mismatch in GC callouts by @​github-actions in https://github.com/dotnet/runtime/pull/111105
• [release/9.0-staging] Don't wait for finalizers in 'IReferenceTrackerHost::ReleaseDisconnectedReferenceSources' by @​github-actions in https://github.com/dotnet/runtime/pull/110558
• [release/9.0-staging] Add forwarding support for WasmLinkage on LibraryImport by @​github-actions in https://github.com/dotnet/runtime/pull/109364
• [release/9.0-staging] Fix obtaining type handles of IDynamicInterfaceCastableImplementation by @​github-actions in https://github.com/dotnet/runtime/pull/109909
• [release/9.0-staging] Disable GS cookie checks for LightUnwind by @​github-actions in https://github.com/dotnet/runtime/pull/109530
• [release/9.0-staging] Fix analyzer tracking of nullable enums by @​github-actions in https://github.com/dotnet/runtime/pull/110331
• Update branding to 9.0.2 by @​vseanreesermsft in https://github.com/dotnet/runtime/pull/111172
• [release/9.0-staging] Bugfix InvalidOperationException/IndexOutOfRangeException in HttpListener.EndGetContext by @​github-actions in https://github.com/dotnet/runtime/pull/110695
• [release/9.0-staging] Fix IsOSVersionAtLeast when build or revision are not provided by @​github-actions in https://github.com/dotnet/runtime/pull/109332
• [release/9.0-staging] [mono][sgen] Add separate card mark function to be used with debug by @​github-actions in https://github.com/dotnet/runtime/pull/110268
• [release/9.0-staging] [mono][aot] Fix compilation crashes when type load exception is generated in code by @​BrzVlad in https://github.com/dotnet/runtime/pull/110271
• [release/9.0-staging] Change assembler to clang in android MonoAOT by @​github-actions in https://github.com/dotnet/runtime/pull/110812
• [release/9.0-staging] Replace a few SuppressMessage annotations with UnconditionalSuppressMessage by @​github-actions in https://github.com/dotnet/runtime/pull/109186
• [release/9.0-staging] Update dependencies from dotnet/xharness by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/111331
• [release/9.0-staging] Update dependencies from dotnet/roslyn by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110992
• [release/9.0-staging] Update dependencies from dotnet/roslyn-analyzers by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110993
• [release/9.0-staging] Update dependencies from dotnet/source-build-reference-packages by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/111325
• [release/9.0-staging] Update dependencies from dotnet/icu by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110935
• [release/9.0-staging] Update dependencies from dotnet/emsdk by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110970
• [release/9.0-staging] Update dependencies from dotnet/cecil by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110937
• [release/9.0-staging] Update dependencies from dotnet/arcade by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/111017
• [release/9.0-staging] Update dependencies from dotnet/hotreload-utils by @​dotnet-maestro in https://github.com/dotnet/runtime/pull/110936
• [release/9.0-staging] Re-try loading ENGINE keys with a non-NULL UI_METHOD by @​github-actions in https://github.com/dotnet/runtime/pull/109783
• [release/9.0-staging] Fix erroneous success in AsnDecoder.ReadSequence by @​github-actions in https://github.com/dotnet/runtime/pull/109595
• [9.0] Guard against empty Accept address by @​github-actions in https://github.com/dotnet/runtime/pull/111366
• [release/9.0-staging] fix TCP FastOpen compilation by @​github-actions in https://github.com/dotnet/runtime/pull/111142
• [release/9.0-staging] [apple-mobile] Disable TLSWitLoadedDlls for Apple mobile due to missing native libs by @​github-actions in https://github.com/dotnet/runtime/pull/111356
• [release/9.0] Fix Encoding regression by @​github-actions in https://github.com/dotnet/runtime/pull/111367
• [manual] Merge release/9.0-staging into release/9.0 by @​carlossanlop in https://github.com/dotnet/runtime/pull/111378
• [manual] Merge release/9.0-staging into release/9.0 (second pass) by @​carlossanlop in https://github.com/dotnet/runtime/pull/111422
• [release/9.0] Change were libClang.so is found when generating Android aot offsets by @​steveisok in https://github.com/dotnet/runtime/pull/111426
• [release/9.0] Support generic fields in PersistedAssemblyBuilder by @​github-actions in https://github.com/dotnet/runtime/pull/111467
• Merging internal commits for release/9.0 by @​vseanreesermsft in https://github.com/dotnet/runtime/pull/111428

Full Changelog: dotnet/runtime@v9.0.1...v9.0.2

dotnet/sdk (mcr.microsoft.com/dotnet/sdk)

v9.0.200

Compare Source

v9.0.102

nodejs/node (node)

v20.18.2: 2025-01-21, Version 20.18.2 'Iron' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [df8b9f2c3e] - (CVE-2025-22150) deps: update undici to v6.21.1 (Matteo Collina) nodejs-private/node-private#663
• [42d5821873] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [8187a4b9bb] - src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS)
• [389f239a28] - (CVE-2025-23083) src,loader,permission: throw on InternalWorker use (RafaelGSS) nodejs-private/node-private#652

---

Configuration

📅 Schedule: Branch creation - "* 0-3 * * 1" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.