chore(deps): update coder to v2.33.3

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
coder	patch	2.33.2 → 2.33.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

coder/coder (coder)

v2.33.3

Compare Source

Changelog

[!NOTE]
This is a mainline Coder release. We advise enterprise customers without a staging environment to install our latest stable release while we refine this version. Learn more about our Release Schedule.

Bug fixes

• Upgrade Go toolchain from 1.25.9 to 1.25.10 (#​25230, e5a96f3)
• Cherry-pick go-git v5.19.0 (CVE-2026-45022) (#​25229, 4e4e235)
• Dashboard: Show Organizations in admin dropdown for single-org OSS deployments (#​25175, bbca430)
• fix(scripts/ironbank): update base image to UBI9 and remove urllib3 (CVE-2026-44431) (#​25247, 818fc72)
• Server: Harden Azure identity certificate fetch (cherry-pick v2.33) (#​25276, 844c1e0)
• Verify PKCS7 signature on Azure instance identity tokens (2.33 cherry-pick) (#​25302, 2b778f2)

Compare: v2.33.2...v2.33.3

Container image

• docker pull ghcr.io/coder/coder:2.33.3

Install/upgrade

Refer to our docs to install or upgrade Coder, or use a release asset below.

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/coder:2.33.3

📦 Image Reference ghcr.io/uniget-org/tools/coder:2.33.3

digest	sha256:afd84c03a2e762c87562fd7b99f022f9c7aeccb9ea24deb80bc89b0dff0b944f
vulnerabilities
platform	linux/amd64
size	186 MB
packages	549

github.com/u-root/u-root 0.14.0 (golang) pkg:golang/github.com/u-root/u-root@0.14.0 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=v7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.346% EPSS Percentile 57th percentile Description This affects all versions of package github.com/u-root/u-root/pkg/tarutil. It is vulnerable to both leading and non-leading relative path traversal attacks in tar file extraction. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=7.0.0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N EPSS Score 0.149% EPSS Percentile 35th percentile Description This affects all versions of package github.com/u-root/u-root/pkg/uzip. It is vulnerable to both leading and non-leading relative path traversal attacks in zip file extraction.

github.com/gomarkdown/markdown 0.0.0-20260411013819-759bbc3e3207 (golang) pkg:golang/github.com/gomarkdown/markdown@0.0.0-20260411013819-759bbc3e3207 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.483% EPSS Percentile 65th percentile Description The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion 0.0.0-20230922105210-14b16010c2ee, which corresponds with commit 14b16010c2ee7ff33a940a541d993bd043a88940, parsing malformed markdown input with parser that uses parser.Mmark extension could result in out-of-bounds read vulnerability. To exploit the vulnerability, parser needs to have parser.Mmark extension set. The panic occurs inside the citation.go file on the line 69 when the parser tries to access the element past its length. This can result in a denial of service. Commit 14b16010c2ee7ff33a940a541d993bd043a88940/pseudoversion 0.0.0-20230922105210-14b16010c2ee contains a patch for this issue.