chore(typescript): remove tsgolint rebuild-from-source Docker stage

[Swimburger]

Description

Remove the tsgolint-rebuild multi-stage Docker build from both the TypeScript SDK CLI Dockerfile and the seed Dockerfile (docker/seed/Dockerfile.ts). The rebuild stage pulled the full golang:1.26.4-trixie image, cloned the typescript-go submodule, applied patches, and recompiled tsgolint from source — all to swap in go1.26.4 and clear two Go stdlib CVEs. This made Docker builds very slow.

Changes Made

• Removed the entire FROM golang:1.26.4-trixie AS tsgolint-rebuild stage (~20 lines) from generators/typescript/sdk/cli/Dockerfile
• Removed the COPY --from=tsgolint-rebuild and binary replacement RUN block (~18 lines) from the CLI Dockerfile
• Removed the same rebuild stage and binary replacement from docker/seed/Dockerfile.ts (~45 lines)
• Bumped oxlint-tsgolint from 0.22.1 → 0.23.0 in the seed Dockerfile to match the CLI Dockerfile
• Added unreleased changelog entry

Context

The two CVEs addressed by the rebuild (CVE-2026-42507 net/textproto, CVE-2026-27145 crypto/x509) are not exercisable by a linting binary — they are false positives for this use case. The tsgolint repo's CI resolves go 1.26 to the latest patch, so the next tsgolint release will be built with go1.26.4+ and the findings will clear automatically.

Testing

• pnpm run check passes (biome format/lint)
• No functional code changes — only Dockerfile build logic and changelog

Link to Devin session: https://app.devin.ai/sessions/3ec35684ab9a41a49cc5da05d590ec8b
Requested by: @Swimburger

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

Devin Review found 1 potential issue.

[devin-ai-integration]

🚩 Seed Dockerfile still carries the tsgolint-rebuild stage

The production Dockerfile at generators/typescript/sdk/cli/Dockerfile now skips the Go-based rebuild, but docker/seed/Dockerfile.ts still contains an identical tsgolint-rebuild multi-stage build (lines 1-25) and binary replacement block (lines 103-119). If the rationale for removal applies equally to the seed image (the CVEs are not exercisable by a linting binary), the seed Dockerfile could be simplified in the same way. This is not a bug—seed images have different risk profiles—but worth confirming whether the inconsistency is intentional.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Good catch — the same rationale applies to the seed image. I've removed the tsgolint-rebuild stage and binary replacement block from docker/seed/Dockerfile.ts as well, and bumped the tsgolint version there from 0.22.1 to 0.23.0 to match the CLI Dockerfile. See commit a54a1d4.

[github-actions]

SDK Generation Benchmark Results

Comparing PR branch against median of 5 nightly run(s) on main (latest: 2026-06-26T05:24:50Z).

Full benchmark table (click to expand)

Generator	Spec	main (generator)	main (E2E)	PR (generator)	Delta
ts-sdk	square	236s (n=5)	238s (n=5)	107s	-129s (-54.7%)

main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via fern generate). main (E2E): full customer-observable time including build/test scripts (nightly baseline, informational). Delta is computed against generator-only baseline.
⚠️ = generation exited with a non-zero exit code (timing may not reflect a successful run).
Baseline from nightly runs on main (latest: 2026-06-26T05:24:50Z). Trigger benchmark-baseline to refresh.
Last updated: 2026-06-26 19:31 UTC

[davidkonigsberg]

LGTM