fix: update Dockerfiles and Fix Vulnerable Dependencies

.dockerignore

@@ -1,6 +1,8 @@
 # Git
 .git
 .gitignore
+.gitattributes
+.github/
 
 # Python
 __pycache__/
@@ -24,11 +26,31 @@ wheels/
 .installed.cfg
 *.egg
 MANIFEST
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.tox/
 
 # Virtual environments
 venv/
 env/
 ENV/
+.venv/
+
+# Node.js
+node_modules/
+npm-debug.log
+yarn-error.log
+.npm/
+package-lock.json
+
+# Go
+/bin/
+/vendor/
+
+# Rust
+target/
+Cargo.lock
 
 # IDE
 .vscode/
@@ -40,6 +62,7 @@ ENV/
 # OS
 .DS_Store
 Thumbs.db
+.env*
 
 # Logs
 *.log
@@ -48,13 +71,17 @@ logs/
 # Test coverage
 .coverage
 htmlcov/
-.pytest_cache/
+coverage/
+
+# CI/CD
+.gitlab-ci.yml
+.travis.yml
+azure-pipelines.yml
 
-# Environment files
-.env
-.env.local
-.env.prod
-.env.staging
+# Documentation (optional—comment out if needed in build context)
+# docs/
+# *.md
+# README*
 
 # Documentation
 docs/
@@ -93,9 +120,6 @@ data/
 uploads/
 temp/
 
-# Node modules (if any)
-node_modules/
-
 # Temporary files
 *.tmp
 

docker/nodejs.Dockerfile

@@ -12,7 +12,7 @@ ARG VCS_REF
 ################################
 # Builder stage - install packages with native addons
 ################################
-FROM dhi.io/node:25.4-debian13-dev AS builder
+FROM dhi.io/node:26.1-debian13-dev AS builder
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -38,7 +38,7 @@ RUN --mount=type=cache,target=/root/.npm \
 ################################
 # Runtime dependencies stage
 ################################
-FROM dhi.io/node:25.4-debian13-dev AS runtime-deps
+FROM dhi.io/node:26.1-debian13-dev AS runtime-deps
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -54,7 +54,7 @@ RUN mkdir -p /usr/lib/x86_64-linux-gnu /usr/lib/aarch64-linux-gnu /mnt/data && \
 ################################
 # Final stage - minimal runtime image
 ################################
-FROM dhi.io/node:25.4-debian13 AS final
+FROM dhi.io/node:26.1-debian13 AS final
 
 ARG BUILD_DATE
 ARG VERSION

docker/php.Dockerfile

@@ -3,7 +3,7 @@
 
 # PHP version configuration - single source of truth
 # These must be declared before any FROM to be available in all stages.
-ARG PHP_VERSION=8.5.3
+ARG PHP_VERSION=8.5.6
 ARG PHP_MAJOR=8.5
 ARG DEBIAN_VERSION=debian13
 

docker/requirements/java-deps.txt

@@ -7,7 +7,7 @@ https://repo1.maven.org/maven2/org/apache/commons/commons-csv/1.10.0/commons-csv
 https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.14.0/commons-lang3-3.14.0.jar 7b96bf3ee68949abb5bc465559ac270e0551596fa34523fddf890ec418dde13c
 https://repo1.maven.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar 1e56d7b058d28b65abd256b8458e3885b674c1d588fa43cd7d1cbb9c7ef2b308
 https://repo1.maven.org/maven2/org/apache/commons/commons-collections4/4.4/commons-collections4-4.4.jar 1df8b9430b5c8ed143d7815e403e33ef5371b2400aadbe9bda0883762e0846d1
-https://repo1.maven.org/maven2/org/apache/commons/commons-compress/1.25.0/commons-compress-1.25.0.jar d0ec8014ebbb0749f471803122b21796afddf2e98e194e4374622e5fbaf69f49
+https://repo1.maven.org/maven2/org/apache/commons/commons-compress/1.27.1/commons-compress-1.27.1.jar 293d80f54b536b74095dcd7ea3cf0a29bbfc3402519281332495f4420d370d16
 https://repo1.maven.org/maven2/org/apache/commons/commons-text/1.11.0/commons-text-1.11.0.jar 2acf30a070b19163d5a480eae411a281341e870020e3534c6d5d4c8472739e30
 # Jackson JSON
 https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.16.0/jackson-core-2.16.0.jar 66e2cde4cc7e565d5fce2a2998b64e991777bf9fad4d220735c525fd8d01c31a
@@ -19,8 +19,8 @@ https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml/5.2.5/poi-ooxml-5.2.5.ja
 https://repo1.maven.org/maven2/org/apache/poi/poi-ooxml-lite/5.2.5/poi-ooxml-lite-5.2.5.jar 6d4ce6736c422c52e47ffbfa08c784e1b8c188efb69583ac001a0ab16022d774
 https://repo1.maven.org/maven2/org/apache/xmlbeans/xmlbeans/5.2.0/xmlbeans-5.2.0.jar 5a344f323c049b7024edd39bbd58a38e77eb44218aad2794879e7f4ac3ca1de1
 # Apache PDFBox
-https://repo1.maven.org/maven2/org/apache/pdfbox/pdfbox/3.0.1/pdfbox-3.0.1.jar 2b7a9f1fe4ba1aa76a1408ad2d47a906cee4925d61ba306dec543637a1cb7c8c
-https://repo1.maven.org/maven2/org/apache/pdfbox/fontbox/3.0.1/fontbox-3.0.1.jar 9d2c2d38449299cd0d821a2f6f65671433251448d3df579faffd0f87361c7c7e
+https://repo1.maven.org/maven2/org/apache/pdfbox/pdfbox/3.0.4/pdfbox-3.0.4.jar 09a0ff27d6f84a1dc40060cb0a01decf2ad4ef91c36bc91b9836c254be8aae45
+https://repo1.maven.org/maven2/org/apache/pdfbox/fontbox/3.0.4/fontbox-3.0.4.jar 2deec6232f5d6d3b31276592d31680ae9722af57d24cb0f76da70e2ba0e99e12
 # Google Guava
 https://repo1.maven.org/maven2/com/google/guava/guava/33.0.0-jre/guava-33.0.0-jre.jar f4d85c3e4d411694337cb873abea09b242b664bb013320be6105327c45991537
 # Gson (alternative JSON)

docker/requirements/python-utilities.txt

@@ -1,6 +1,6 @@
 # Cryptography and security
 bcrypt>=4.2.1
-cryptography>=44.0.0
+cryptography>=44.0.1
 passlib>=1.7.4
 pycryptodome>=3.21.0
 PyNaCl>=1.5.0

docker/rust.Dockerfile

@@ -11,7 +11,7 @@ FROM ${RUNNER_IMAGE} AS runner
 ################################
 # Builder stage - compile crate dependencies
 ################################
-FROM dhi.io/rust:1.93-debian13-dev AS builder
+FROM dhi.io/rust:1.95.0-debian13-dev AS builder
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
@@ -48,7 +48,7 @@ RUN rm -rf /tmp/rust-cache/src /tmp/rust-cache/Cargo.toml /tmp/rust-cache/Cargo.
 ################################
 # Final stage - runtime only
 ################################
-FROM dhi.io/rust:1.93-debian13-dev AS final
+FROM dhi.io/rust:1.95.0-debian13-dev AS final
 
 ARG BUILD_DATE
 ARG VERSION
@@ -60,13 +60,17 @@ LABEL org.opencontainers.image.title="KubeCodeRun Rust Environment" \
       org.opencontainers.image.created="${BUILD_DATE}" \
       org.opencontainers.image.revision="${VCS_REF}"
 
-# Runtime libraries only - no -dev packages (reduced attack surface)
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Runtime libraries only - pre-compiled crates link against these
 # These are linked by the pre-compiled crates: image, plotters (freetype/fontconfig)
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
     libssl3t64 \
     libfontconfig1 \
     libfreetype6 \
+    && apt-get autoremove -y \
+    && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy entire cargo home (registry, config, env) and pre-compiled target

scripts/build-images.sh

@@ -20,7 +20,7 @@
 #   DHI_PASSWORD         Password for dhi.io registry login
 #
 # Examples:
-#   ./scripts/build-images.sh                  # Build all images in parallel
+#   ./scripts/build-images.sh                  # Build all images in parallel (linux/amd64)
 #   ./scripts/build-images.sh go               # Build only the go image with full output
 #   ./scripts/build-images.sh --no-cache rust  # Build rust image without cache
 
@@ -34,6 +34,7 @@ DOCKER_DIR="$PROJECT_ROOT/docker"
 TAG="latest"
 PREFIX="kcr"  # Local image prefix to avoid conflicts with official images
 REGISTRY=""   # When set, overrides PREFIX (for pushing to registries)
+PLATFORM="linux/amd64"  # Target platform for builds
 PUSH=false
 NO_CACHE=""
 SEQUENTIAL=false
@@ -193,7 +194,7 @@ build_image() {
 
     # shellcheck disable=SC2086
     build_output=$(docker build \
-        --platform linux/amd64 \
+        --platform "$PLATFORM" \
         $NO_CACHE \
         --build-arg VERSION="$TAG" \
         --build-arg BUILD_DATE="$build_date" \
@@ -286,7 +287,7 @@ build_single_image() {
             vcs_ref=$(git -C "$PROJECT_ROOT" rev-parse --short HEAD 2>/dev/null || echo "unknown")
             # shellcheck disable=SC2086
             docker build \
-                --platform linux/amd64 \
+                --platform "$PLATFORM" \
                 $NO_CACHE \
                 --build-arg VERSION="$TAG" \
                 --build-arg BUILD_DATE="$build_date" \
@@ -341,6 +342,7 @@ main() {
     echo "║           KubeCodeRun Docker Image Builder               ║"
     echo "╠══════════════════════════════════════════════════════════╣"
     echo "║  Tag:      ${TAG}"
+    echo "║  Platform: ${PLATFORM}"
     if [[ -n "$REGISTRY" ]]; then
         echo "║  Registry: ${REGISTRY}"
     fi

scripts/validate-multiarch-builds.sh

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+# Validate multi-arch Docker builds for modified Dockerfiles.
+# Uses the multiarch-builder (BuildKit) — no push, no local load.
+# Cleans up any locally loaded test images after validation.
+#
+# Usage: ./scripts/validate-multiarch-builds.sh [branch]
+#   branch: feat-shell-languages | feat-csharp-support | chore-dockerfiles-upgrade
+#           (defaults to current branch)
+
+set -euo pipefail
+
+BUILDER="multiarch-builder"
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+CURRENT_BRANCH="$(git -C "$REPO_ROOT" rev-parse --abbrev-ref HEAD)"
+TARGET_BRANCH="${1:-$CURRENT_BRANCH}"
+
+# Colours
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+pass() { echo -e "${GREEN}✓ PASS${NC}  $*"; }
+fail() { echo -e "${RED}✗ FAIL${NC}  $*"; FAILED+=("$*"); }
+info() { echo -e "${YELLOW}→${NC} $*"; }
+
+FAILED=()
+
+build_test() {
+  local dockerfile="$1"
+  local platform="$2"
+  local label="$3"
+
+  info "Building $label ($platform) …"
+  if docker buildx build \
+      --builder "$BUILDER" \
+      --platform "$platform" \
+      --file "$REPO_ROOT/docker/${dockerfile}" \
+      --output "type=image,push=false" \
+      "$REPO_ROOT/docker" 2>&1; then
+    pass "$label ($platform)"
+  else
+    fail "$label ($platform)"
+  fi
+}
+
+echo "========================================"
+echo " KubeCodeRun multi-arch build validator"
+echo " Branch: $TARGET_BRANCH"
+echo "========================================"
+echo
+
+# ── feat-shell-languages ────────────────────────────────────────────────────
+if [[ "$TARGET_BRANCH" == "feat-shell-languages" ]]; then
+  info "Checking out $TARGET_BRANCH …"
+  git -C "$REPO_ROOT" checkout "$TARGET_BRANCH"
+
+  build_test "shell.Dockerfile" "linux/amd64"  "shell"
+  build_test "shell.Dockerfile" "linux/arm64"  "shell"
+fi
+
+# ── feat-csharp-support ─────────────────────────────────────────────────────
+if [[ "$TARGET_BRANCH" == "feat-csharp-support" ]]; then
+  info "Checking out $TARGET_BRANCH …"
+  git -C "$REPO_ROOT" checkout "$TARGET_BRANCH"
+
+  build_test "csharp.Dockerfile" "linux/amd64" "csharp"
+  build_test "csharp.Dockerfile" "linux/arm64" "csharp"
+fi
+
+# ── chore-dockerfiles-upgrade ───────────────────────────────────────────────
+if [[ "$TARGET_BRANCH" == "chore-dockerfiles-upgrade" ]]; then
+  info "Checking out $TARGET_BRANCH …"
+  git -C "$REPO_ROOT" checkout "$TARGET_BRANCH"
+
+  build_test "nodejs.Dockerfile" "linux/amd64" "nodejs"
+  build_test "php.Dockerfile"    "linux/amd64" "php"
+  build_test "rust.Dockerfile"   "linux/amd64" "rust"
+fi
+
+# ── summary ─────────────────────────────────────────────────────────────────
+echo
+echo "========================================"
+if [[ ${#FAILED[@]} -eq 0 ]]; then
+  echo -e "${GREEN}All builds passed.${NC}"
+else
+  echo -e "${RED}${#FAILED[@]} build(s) failed:${NC}"
+  for f in "${FAILED[@]}"; do
+    echo "  - $f"
+  done
+  exit 1
+fi