From ebd06e150bf9d48e93c06e8293e556b0cf2d9c0a Mon Sep 17 00:00:00 2001
From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 13:41:55 +0000
Subject: [PATCH 1/2] fix: pin expat to >=2.8.1-r0 to address CVE-2026-45186

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 6c6b2439f..56e979ec2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -178,7 +178,9 @@ ENV SOURCEBOT_LOG_LEVEL=info
 # ENV SOURCEBOT_TELEMETRY_DISABLED=1
 
 # Configure dependencies
-RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip && \
+# Note: expat is pinned to >=2.8.1-r0 to address CVE-2026-45186 (libexpat
+# denial of service via crafted XML input).
+RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq openssl util-linux unzip "expat>=2.8.1-r0" && \
     apk upgrade --no-cache
 
 # Remove npm (unused — we use Yarn). The Node.js base image bundles npm

From c585c862a84b9ffcdf75f0d8809151f43792aeeb Mon Sep 17 00:00:00 2001
From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com>
Date: Sun, 21 Jun 2026 13:42:17 +0000
Subject: [PATCH 2/2] docs: add CHANGELOG entry for CVE-2026-45186 expat fix

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
---
 CHANGELOG.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 593e735db..c65dc4f02 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Pinned `expat` to `^2.8.1-r0` in the Docker image to address CVE-2026-45186. [#1355](https://github.com/sourcebot-dev/sourcebot/pull/1355)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed