fix: bump base image of k3d-proxy to resolve vulnerabilities.

[jackson-chris]

What

Bumps the base image of the k3d-proxy image to resolve various os package vulnerabilities.

Why

Resolves all vulnerabilities mentioned in #1472

Implications

I was unable to test this locally as of yet on my local machine to validate whether or not it causes any issues, will keep trying and update the ticket once I have validation (debugging local go installation issues with running the make files for this repo). If someone can validate easily and comment on ticket it would be appreciated.

[iwilltry42]

Thanks for the PR @jackson-chris ! I'll merge it right away and it will land in the next patch release 👍

[louisnow]

Can we merge this in please?

[reneleonhardt]

nginx:1.26.1-alpine3.19 is nearly 3 months old. nginx:1.26.2-alpine3.20 is the current stable: https://nginx.org/en/download.html https://hub.docker.com/_/nginx

Why aren't you using Dependabot or Renovate to stay up-to-date and apply security fixes in time?

[iwilltry42]

@reneleonhardt k3d is a development tool not focusing on running critical or production workloads, so there was never a focus around keeping everything up-to-date as fast as possible.

FWIW, Dependabot is active and proposing go module updates, but nothing else so far. Feel free to open a PR to configure Dependabot or Renovate to catch all updates - I'll happily merge anything automating some work here :+1: Then we need to make sure that there are automatic releases once critical vulnerabilities have been patched.

UPDATE: I just added a basic renovate.json config to the repo and enabled Mend Renovate for k3d-io

[reneleonhardt]

Hello @iwilltry42 thank you for introducing renovate! For automatic security releases please have a look at https://github.com/aquasecurity/trivy-action but unfortunately I can't find examples for your understandable DevSecOps use case 😅 Daily workflow: If latest commit contains fewer critical vulnerabilities than the latest release, build and publish a new patch release