Automated update for image history#1853
Conversation
There was a problem hiding this comment.
Pull request overview
Automated refresh of the dev image history documentation and component governance manifest to reflect newly built image digests and updated tool/runtime versions across the devcontainer images.
Changes:
- Updated
history/dev.mdfiles across multiple images with new digests and refreshed tool/runtime/package versions. - Updated
cgmanifest.jsoncomponent registrations/versions to match the refreshed images and dependencies.
Show a summary per file
| File | Description |
|---|---|
| src/universal/history/dev.md | Updates Universal dev digest + tool/runtime version inventory. |
| src/typescript-node/history/dev.md | Updates TypeScript-Node dev digests and Node/TypeScript/tool inventories per variant. |
| src/rust/history/dev.md | Updates Rust image digests and Rust toolchain versions across variants. |
| src/php/history/dev.md | Updates PHP image digests and PHP/Xdebug/Composer/tool inventories across variants. |
| src/miniconda/history/dev.md | Updates Miniconda dev digest and Python/conda/tool inventories. |
| src/jekyll/history/dev.md | Updates Jekyll dev digests and Ruby/bundler/tool inventories across variants. |
| src/javascript-node/history/dev.md | Updates JavaScript-Node dev digests and Node/eslint/tool inventories per variant. |
| src/java/history/dev.md | Updates Java dev digests and Java/tool inventories across variants. |
| src/java-8/history/dev.md | Updates Java 8 dev digests and Java/tool inventories across variants. |
| src/go/history/dev.md | Updates Go dev variants/digests and Go/tool inventories (including version roll-forward). |
| src/dotnet/history/dev.md | Updates .NET image digests and .NET/tool inventories across variants. |
| src/cpp/history/dev.md | Updates C++ image digests and compiler/tool inventories across variants. |
| src/base-ubuntu/history/dev.md | Updates base Ubuntu dev digests and core package/tool inventory. |
| src/base-debian/history/dev.md | Updates base Debian dev digests and core package/tool inventory. |
| src/base-alpine/history/dev.md | Updates base Alpine dev digests and core package/tool inventory across Alpine variants. |
| src/anaconda/history/dev.md | Updates Anaconda dev digest and Python/Jupyter/tool inventories. |
| cgmanifest.json | Updates component registrations/versions to align with refreshed images and dependencies. |
Copilot's findings
Comments suppressed due to low confidence (1)
src/base-alpine/history/dev.md:48
- This git entry (apk package version) conflicts with the git version reported above in "Other tools and utilities" for the same variant. Please reconcile so the history reflects a single effective git version (or add a note explaining why two are present).
| git | 2.52.0-r0 |
| openssh-client-default | 10.2_p1-r0 |
- Files reviewed: 19/19 changed files
- Comments generated: 4
| "Type": "linux", | ||
| "Linux": { | ||
| "Name": "moby-engine", | ||
| "Version": "29.1.4-ubuntu24.04u2", | ||
| "Version": "29.4.1-ubuntu24.04u1", | ||
| "Distribution": "ubuntu", | ||
| "Release": "24.04", | ||
| "Pool-URL": "https://packages.microsoft.com/repos/microsoft-ubuntu-noble-prod" | ||
| "Pool-URL": "https://packages.microsoft.com/repos/microsoft-ubuntu-focal-prod", | ||
| "Key-URL": "https://packages.microsoft.com/keys/microsoft.asc" |
There was a problem hiding this comment.
Same issue as above for moby-engine: Pool-URL references microsoft-ubuntu-focal-prod while the component metadata says Ubuntu 24.04. Please align the repository URL with the declared distribution/release to avoid incorrect component provenance in cgmanifest.
| | Docker (Moby) CLI & Engine | 29.1.4 | | ||
| | [conda](https://github.com/conda/conda) | 25.11.1 | /opt/conda/bin | | ||
| | [GitHub CLI](https://github.com/cli/cli) | 2.91.0 | | ||
| | [yarn](https://yarnpkg.com/) | ! Corepack is about to download https://registry.yarnpkg.com/yarn/-/yarn-1.22.22.tgz<br />1.22.22 | /usr/bin | |
There was a problem hiding this comment.
The yarn entry is capturing Corepack's interactive download warning ("Corepack is about to download …") as part of the version string, which makes the history misleading and non-deterministic. Please adjust the collection/reporting so the table shows only an actual installed Yarn version, or remove the Yarn row if Yarn is not preinstalled in the image.
| | [yarn](https://yarnpkg.com/) | ! Corepack is about to download https://registry.yarnpkg.com/yarn/-/yarn-1.22.22.tgz<br />1.22.22 | /usr/bin | | |
| | [yarn](https://yarnpkg.com/) | 1.22.22 | /usr/bin | |
| | Tool | Version | Path | | ||
| |------|---------|------| | ||
| | [git](https://github.com/git/git) | 2.52.0 | | ||
| | [git](https://github.com/git/git) | 2.54.0 | |
There was a problem hiding this comment.
This section lists git as 2.54.0, but the package list below also includes a git package with a different version (2.52.0-r0). Having two conflicting git versions in the same variant's history is confusing—please ensure the reported git version matches the installed package, or clarify why a different git is installed outside the package manager.
This issue also appears on line 47 of the same file.
| | [git](https://github.com/git/git) | 2.54.0 | | |
| | [git](https://github.com/git/git) | 2.52.0-r0 | |
| "Type": "linux", | ||
| "Linux": { | ||
| "Name": "moby-cli", | ||
| "Version": "29.1.4-ubuntu24.04u1", | ||
| "Version": "29.4.1-ubuntu24.04u1", | ||
| "Distribution": "ubuntu", | ||
| "Release": "24.04", | ||
| "Pool-URL": "https://packages.microsoft.com/repos/microsoft-ubuntu-noble-prod" | ||
| "Pool-URL": "https://packages.microsoft.com/repos/microsoft-ubuntu-focal-prod", | ||
| "Key-URL": "https://packages.microsoft.com/keys/microsoft.asc" | ||
| } |
There was a problem hiding this comment.
The Pool-URL points to the microsoft-ubuntu-focal-prod repository, but this component is declared as Ubuntu 24.04. This looks inconsistent with the distro/release metadata and may produce an incorrect SBOM source reference; please use the correct repository for the declared Ubuntu release (or adjust the Release field if focal-prod is intentional).
Automated update for image history