Investigate unresolved Caddy CVEs after upgrade to 2.10.2

[josecelano]

Overview

Track unresolved Caddy image vulnerabilities after remediation pass 1 in issue #428.

Context

Caddy was upgraded from 2.10 to 2.10.2 and findings improved:

• Before (2.10): 18 HIGH, 6 CRITICAL
• After (2.10.2): 14 HIGH, 4 CRITICAL

Remaining HIGH/CRITICAL findings are in upstream Caddy binary dependencies.

Goals

• Verify whether newer Caddy tags further reduce unresolved CVEs
• Track upstream advisories and dependency fixes
• Recommend upgrade strategy (patch/minor/major) for deployer templates

Acceptance Criteria

• Evaluate candidate Caddy tags and compare vulnerability deltas
• Document selected target version and compatibility notes
• Update references once a safer tag is validated
• Pre-commit checks pass: ./scripts/pre-commit.sh

Related

• Parent: Analyze and remediate Docker image vulnerabilities from April 8, 2026 scan #428
• Epic: Implement Automated Docker Image Vulnerability Scanning #250