Request: Sync Docker Hub official images with latest dependency bumps (CVE fixes) on release-2.5 branch

[saltict]

Current Status

We have noticed that the release-2.5 branch has recently received numerous dependency updates aimed at fixing various CVEs, largely thanks to the great contributions from @pfi79 who helped bump all of them. This is highly appreciated as security compliance is critical for enterprise production environments.

Additionally, we observed that the official hyperledger/fabric-ca image was updated on Docker Hub 4 days ago, successfully addressing a significant number of vulnerabilities (1 Critical / 60 High / 24 Medium / 8 Low).

However, the main Hyperledger Fabric core components (such as fabric-peer, fabric-orderer, etc.) for the v2.5 release line on Docker Hub do not seem to reflect these latest dependency updates yet.

Expected

We would like to know if there are any technical blockers, CI/CD pipeline issues, or specific challenges currently delaying the shipment of these latest bumped dependency images to Docker Hub.

Expected Outcome:

• Having the official main Fabric images (peer, orderer, tools) built and published to Docker Hub in sync with the latest security fixes on the release-2.5 branch.
• If there is a scheduled release plan or an ongoing blocker, please share it so the community can better align or potentially contribute to resolving it.

Solution

No response

Please let us know if you plan to work on this.

No response

[Jaskirat-s7]

Thanks for raising this. I dug into how the official images actually get published, and I think the situation is clearer than a blocker i am sharing the analysis plus two possible directions.

Root cause is that
The core Fabric images (fabric-peer, fabric-orderer, fabric-baseos, fabric-ccenv) are published only by .github/workflows/release.yml, which triggers exclusively on a pushed version tag:

on:
push:
tags:
- v2.*
- v3.*
Nothing publishes images from release-2.5 branch HEAD that verify-build.yml builds on every push/PR but never logs in or pushes to a registry.

That explains the whole timeline:

The latest release-2.5 tag is v2.5.15 (2026-02-23).
@pfi79's CVE dependency bumps were merged to the release-2.5 branch after v2.5.15, so they're in git but not in any tagged release yet.
Docker Hub therefore still serves images built from v2.5.15's dependency set.
hyperledger/fabric-ca updated separately because it's a different repository with its own release cadence — unrelated to this repo's tags.
So there's no CI/CD blocker and nothing broken — image publishing is simply tag-gated, and no patch release has been cut since the bumps landed.

so now where are left with Two possible directions

1. Cut a v2.5.16 patch release (immediate fix).
   Pushing the tag triggers release.yml, which automatically rebuilds and pushes the multi-arch peer/orderer/baseos/ccenv images to Docker Hub and ghcr with the current release-2.5 dependencies. This resolves the CVE exposure right away and needs no workflow changes — just a maintainer to tag it. Is a v2.5.16 already on the schedule?

2. Add scheduled image publishing from release-2.5 HEAD (longer-term).
   If the community wants CVE fixes reflected on Docker Hub without waiting for a formal release, we could add a workflow that periodically (or on push to release-2.5) builds and pushes images under a moving tag such as 2.5-latest or 2.5-nightly, keeping the semver tags reserved for official releases. Happy to open a PR for this if maintainers think it's worthwhile , it's a policy call on whether non-released images should appear on Docker Hub.

Glad to help with either direction.