Bump golang.org/x/image from 0.33.0 to 0.38.0 in /packages/sandbox-container/native/desktop-wrapper (#542)

dependabot[bot] · ghostwriternr · web-flow · commit eb55c286ac50 · 2026-04-01T19:03:50.000+01:00
* Bump golang.org/x/image Bumps [golang.org/x/image](https://github.com/golang/image) from 0.33.0 to 0.38.0. - [Commits](golang/image@v0.33.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/image dependency-version: 0.38.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * Bump go-builder to Go 1.25 for image 0.38.0 golang.org/x/image 0.38.0 (CVE-2026-33809 fix) requires Go 1.25. * Add changeset for CVE-2026-33809 fix --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Naresh <naresh@cloudflare.com>
diff --git a/.changeset/fix-tiff-oom-cve.md b/.changeset/fix-tiff-oom-cve.md
@@ -0,0 +1,5 @@
+---
+'@cloudflare/sandbox': patch
+---
+
+Upgrade Go toolchain to 1.25 and update dependencies in the desktop container variant, including a security fix for image processing (CVE-2026-33809).
diff --git a/packages/sandbox-container/native/desktop-wrapper/go.mod b/packages/sandbox-container/native/desktop-wrapper/go.mod
@@ -1,8 +1,6 @@
 module github.com/cloudflare/sandbox-sdk/desktop-wrapper
 
-go 1.24.0
-
-toolchain go1.24.13
+go 1.25.0
 
 require github.com/go-vgo/robotgo v1.0.1
 
@@ -29,6 +27,6 @@ require (
 	github.com/vcaesar/tt v0.20.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 // indirect
-	golang.org/x/image v0.33.0 // indirect
+	golang.org/x/image v0.38.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 )
diff --git a/packages/sandbox-container/native/desktop-wrapper/go.sum b/packages/sandbox-container/native/desktop-wrapper/go.sum
@@ -62,8 +62,8 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39 h1:DHNhtq3sNNzrvduZZIiFyXWOL9IWaDPHqTnLJp+rCBY=
 golang.org/x/exp v0.0.0-20251125195548-87e1e737ad39/go.mod h1:46edojNIoXTNOhySWIWdix628clX9ODXwPsQuG6hsK0=
-golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
-golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
+golang.org/x/image v0.38.0 h1:5l+q+Y9JDC7mBOMjo4/aPhMDcxEptsX+Tt3GgRQRPuE=
+golang.org/x/image v0.38.0/go.mod h1:/3f6vaXC+6CEanU4KJxbcUZyEePbyKbaLoDOe4ehFYY=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/packages/sandbox/Dockerfile b/packages/sandbox/Dockerfile
@@ -222,7 +222,7 @@ ENTRYPOINT ["/container-server/sandbox"]
 # ============================================================================
 # Desktop variant — full Linux desktop with robotgo native control
 # ============================================================================
-FROM golang:1.24-bookworm AS go-builder
+FROM golang:1.25-bookworm AS go-builder
 
 RUN mkdir -p /usr/local/share/ca-certificates
 RUN --mount=type=secret,id=wrangler_ca \

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@cloudflare/sandbox': patch
 +---
++
 +Upgrade Go toolchain to 1.25 and update dependencies in the desktop container variant, including a security fix for image processing (CVE-2026-33809).