Skip to content

fix(security): upgrade Traefik from v3.6.7 to v3.6.12#4090

Open
andershermansen wants to merge 1 commit intoDokploy:canaryfrom
andershermansen:fix/upgrade-traefik-3.6.12
Open

fix(security): upgrade Traefik from v3.6.7 to v3.6.12#4090
andershermansen wants to merge 1 commit intoDokploy:canaryfrom
andershermansen:fix/upgrade-traefik-3.6.12

Conversation

@andershermansen
Copy link
Copy Markdown

@andershermansen andershermansen commented Mar 29, 2026
edited by greptile-apps bot
Loading

What is this PR about?

Addresses 12 CVEs in Traefik across 5 patch releases:

v3.6.8: CVE-2026-25949, CVE-2025-68121
v3.6.9: CVE-2026-26998, CVE-2026-26999, CVE-2026-29054
v3.6.10: CVE-2026-29777, CVE-2026-27141
v3.6.11: CVE-2026-32595, CVE-2026-32305, CVE-2026-32695
v3.6.12: CVE-2026-33433, CVE-2026-33186

Checklist

Before submitting this PR, please make sure that:

  • You created a dedicated branch based on the canary branch.
  • You have read the suggestions in the CONTRIBUTING.md file https://github.com/Dokploy/dokploy/blob/canary/CONTRIBUTING.md#pull-request
  • You have tested this PR in your local instance. If you have not tested it yet, please do so before submitting. This helps avoid wasting maintainers' time reviewing code that has not been verified by you.

Greptile Summary

This PR updates the default Traefik Docker image version from 3.6.7 to 3.6.12 in packages/server/src/setup/traefik-setup.ts, addressing 12 CVEs across 5 patch releases (v3.6.8–v3.6.12). The change is a single-line bump to the fallback value of the TRAEFIK_VERSION constant; users who set the TRAEFIK_VERSION environment variable are unaffected.

  • The change is minimal and correct — no other hardcoded Traefik version strings exist in the codebase.
  • All consumers of TRAEFIK_VERSION (server-setup.ts, setup.ts) already reference the exported constant, so they will automatically pick up the new default.
  • This is a patch-level bump (3.6.x → 3.6.x) and is expected to be fully backward-compatible.

Confidence Score: 5/5

Safe to merge — a straightforward one-line security patch version bump with no logic changes.

The change is a single-line default version string update with no functional or behavioral changes. All existing consumers use the exported constant. No P1 or P0 issues found.

No files require special attention.

Important Files Changed
Filename Overview
packages/server/src/setup/traefik-setup.ts Single-line default version bump from 3.6.7 to 3.6.12; no logic changes.

Reviews (1): Last reviewed commit: "fix(security): upgrade Traefik from v3.6..." | Re-trigger Greptile

(2/5) Greptile learns from your feedback when you react with thumbs up/down!

@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Mar 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Siumauricio Siumauricio Awaiting requested review from Siumauricio Siumauricio is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andershermansen