Merging to release-5.10: Remove mercurial from plugin compiler Dockerfile (#7670)

[probelabs]

User description

Remove mercurial from plugin compiler Dockerfile (#7670)

Description

Removes mercurial from the list of packages being purged in the plugin
compiler Docker image. This package is no longer needed and removing it
reduces dependencies and potential CVE exposure.

Related Issue

N/A - Cleanup/maintenance change

Motivation and Context

Mercurial is not required for the plugin compiler functionality and can
be safely removed to reduce the image's attack surface and dependency
footprint.

How This Has Been Tested

• Verify Docker image builds successfully
• Verify plugin compilation still works as expected

Screenshots (if appropriate)

N/A

Types of changes

• Refactoring or add test (improvements in base code or adds test
  coverage to functionality)

Checklist

• I ensured that the documentation is up to date
• I explained why this PR updates go.mod in detail with reasoning
  why it's required
• I would like a code coverage CI quality gate exception and have
  explained why

---

PR Type

Enhancement

---

Description

• Delete mercurial from Dockerfile purge list

• Reduce image dependencies and CVE exposure

---

File Walkthrough

	Relevant files
Configuration changes	Dockerfile Remove mercurial purge entry                                                          ci/images/plugin-compiler/Dockerfile Deleted mercurial from the apt-get purge command Preserved other packages and cleanup steps +1/-1

---

[probelabs]

PR Overview

This pull request removes the mercurial package from the apt-get purge command within the plugin-compiler Dockerfile. This is a maintenance change aimed at cleaning up the Docker image build process and reducing unnecessary dependencies.

Files Changed Analysis

• File: ci/images/plugin-compiler/Dockerfile
• Change: A single line was modified to remove mercurial from the list of packages being purged.
• Impact: The change is minimal and localized to the Dockerfile, simplifying the build script for the plugin compiler image.

Architecture & Impact Assessment

• Accomplishment: The PR cleans up the Dockerfile for the plugin compiler, removing a reference to an unused package (mercurial). This improves maintainability and removes a potentially confusing line from the build definition.
• Technical Changes: The RUN apt-get purge ... command in ci/images/plugin-compiler/Dockerfile has been updated to no longer include mercurial.
• Affected Components: The change only affects the build process of the plugin-compiler Docker image, which is used in the CI/CD pipeline. There is no impact on the runtime behavior of the Tyk gateway or other production components.

Scope Discovery & Context Expansion

• Scope: The impact is confined to the CI environment. The change ensures that the build process for the plugin compiler is cleaner and doesn't reference packages that are not needed or present.
• Suggested Next Steps: To fully verify the context, one could:
  • Search the CI configuration files (e.g., under .github/workflows) to confirm where the plugin-compiler image is used.
  • Verify that no plugin-related build steps require Mercurial for fetching dependencies.

Metadata

• Review Effort: 1 / 5
• Primary Label: chore

---

Powered by Visor from Probelabs

Last updated: 2026-01-15T12:38:55.686Z | Triggered by: pr_opened | Commit: 148e676

💡 TIP: You can chat with Visor using /visor ask <your question>

[probelabs]

Security Issues (1)

Severity	Location	Issue
🟠 Error	ci/images/plugin-compiler/Dockerfile:17	The change removes 'mercurial' from the 'apt-get purge' command, which means the 'mercurial' package will no longer be removed from the Docker image. If 'mercurial' is present in the base image, it will remain, increasing the image's attack surface. This contradicts the pull request's stated goal of removing mercurial to reduce dependencies and potential CVE exposure. 💡 Suggestion Verify if the 'mercurial' package is present in the base image ('tykio/golang-cross:1.24-bullseye'). If it is, it should continue to be purged to minimize the attack surface. If it is not present in the base image, this change is acceptable, but the pull request description is misleading and should be corrected to reflect that this is a cleanup of an unnecessary command.

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity	Location	Issue
🟠 Error	ci/images/plugin-compiler/Dockerfile:17	The code change contradicts the stated intention of the pull request. The PR description and the comment `# remove for avoiding CVEs` indicate the goal is to remove the `mercurial` package to reduce the image's attack surface. However, the change removes `mercurial` from the `apt-get purge` command, which means the package will no longer be uninstalled. This action is the opposite of the intended outcome and may lead to the package remaining in the image, potentially increasing CVE exposure. 💡 Suggestion To align with the stated goal of removing the `mercurial` package, it should be kept in the `apt-get purge` command. The line should be reverted to its original state. If `mercurial` is no longer present in the base image and this change is intended as cleanup, the PR description should be updated to reflect this to avoid confusion.

---

Powered by Visor from Probelabs

Last updated: 2026-01-15T12:38:58.431Z | Triggered by: pr_opened | Commit: 148e676

💡 TIP: You can chat with Visor using /visor ask <your question>

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 7670 - PR Code Verified Compliant requirements: Remove mercurial from the purge list in the plugin compiler Dockerfile. Requires further human verification: Verify Docker image builds successfully. Verify plugin compilation still works as expected. Update documentation to reflect the change. Explain and justify the go.mod update. Document and explain code coverage CI quality gate exception.

⏱️ Estimated effort to review: 1 🔵⚪⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Dependency Risk Ensure removing mercurial does not break any plugin compiler workflows that rely on it, and that the apt-get purge invocation with wildcards (e.g., python*, docker*) doesn’t remove unintended essential packages. RUN apt-get purge -y --allow-remove-essential --auto-remove wget curl automake cmake python* docker* libsqlite* qemu* \ && rm -f /usr/bin/passwd /usr/sbin/adduser /usr/bin/goreleaser

[github-actions]

API Changes

no api changes detected

[github-actions]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Restore mercurial purge Re-add mercurial to the purge list to ensure it’s removed and prevent potential CVE exposures as originally intended. This restores the previous security cleanup. ci/images/plugin-compiler/Dockerfile [17] -RUN apt-get purge -y --allow-remove-essential --auto-remove wget curl automake cmake python* docker* libsqlite* qemu* \ +RUN apt-get purge -y --allow-remove-essential --auto-remove mercurial wget curl automake cmake python* docker* libsqlite* qemu* \ Suggestion importance[1-10]: 7 __ Why: Re-adding mercurial restores the original security cleanup but has moderate impact since it’s a minor CVE reduction.	Medium

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud