Release Notes – Trinity Platform v4.9.0 (Security & Sanity Fixes)

Archit · April 15, 2026, 10:30am

Overview

This release focuses on security hardening and chart cleanup across the Trinity. Key changes include pinning container image tags (eliminating :latest), rebuilding all application images with patched dependencies, removing unused sub-charts and their configuration blocks, and fixing nil-access issues in cleanup templates.

Trivy vulnerability scanning confirms a significant reduction across all container images. The improvements come from three areas: rebuilding application images with patched OS and npm/Go dependencies, pinning utility images to hardened versions instead of :latest, and eliminating unused sub-chart images from the deployment surface entirely.

Vulnerability Improvements

What Was Done

Rebuilt all Trinity application images — The following microservices were updated:

Backend services:
- trinity-app-logs
- trinity-assets-orchestrator
- trinity-db-operations
- trinity-deployments
- trinity-orchestrator
- trinity-promscale-connector
Frontend:
- trinity-frontend (UI and API)
Key changes in the application repo:
- Base image upgraded: Builder stage moved from node:22.17.1 to node:24-alpine3.23; production stage moved from node:22.17.1-alpine to a hardened private base image (neutrinos.azurecr.io/alpha/backend-base:node24-dhi)
- Frontend base image: Build stage moved to neutrinos.azurecr.io/platform/node:22.14.0-alpine3.21; runtime moved from nginx:stable-alpine to neutrinos.azurecr.io/alpha/frontend-base:nginx-alpine
- npm dependency upgrades: axios 1.6.2 → 1.15.0, typeorm 0.3.17 → 0.3.28
- Helm v3 compatibility: Replaced deprecated helm delete with helm uninstall across deployment services
Pinned utility images to hardened versions — The kubectl and curl utility images were moved from :latest (which carried accumulated vulnerabilities) to specific, minimal, recently-built versions (kubectl:1.35.3, curl:8.19.0).
Removed unused sub-chart images — By deleting bundled sub-charts that are no longer part of the deployment (cert-manager, elasticsearch, prometheus, jaeger, kibana, filebeat, metricbeat, kube-state-metrics, alertmanager, pushgateway, node-exporter), a large number of vulnerable images were completely eliminated from the deployment surface.

Vulnerability Summary (Trinity Core Images)

Metric	Before (`apl-current`)	After (`trinity-latest`)	Difference
Total Trinity Core Images	9	9	—
Total Vulnerabilities	1,339	112	-1,227
Critical	41	0	-41
High	554	18	-536
Medium	573	44	-529
Low	153	27	-126
Unknown	18	25	+7

Per-image vulnerability comparison available in the attached Trivy report: Vulnerability-Comparison-APL.pdf.

Vulnerability-Comparison-APL.pdf (141.5 KB)

What Changed

1. Security Fixes — Container Image Tags Pinned (Removed `:latest`)

All container utility images have been pinned to explicit, versioned tags to prevent supply-chain drift and ensure reproducible deployments.

Image	Old Tag	New Tag
`global.kubectlImage` (`trinity-utils/kubectl`)	`latest`	`1.35.3`
`global.curlImage` (`trinity-utils/curl`)	`latest`	`8.19.0`
`trinity/curl` (controller deployments cron image)	`latest`	`8.19.0`
`trinity-utils/curl` (runtime alerts cron default in `_alerts.tpl`)	`latest`	`8.19.0`

2. Chart Cleanup — Removed Unused Sub-charts

The following sub-charts have been entirely deleted from the repository and their dependencies removed from Chart.yaml:

Controller Chart (`console-controller-init`)

Removed Chart	Version
`postgresql`	15.0.0
`cert-manager`	v1.13.1
`elasticsearch` (master/data/client)	8.5.1
`prometheus`	25.26.0
`prometheus-elasticsearch-exporter`	6.5.0
`jaeger`	3.3.2
`kibana`	8.5.1
`trinity-db`	4.6.0

Standalone Charts Removed

Removed Chart
`alpha-insights/`
`ingress-rate-limit/`
`rabbitmq/`
`redis/`

Docker Images

Release Branch: release/4.9.0
Registry: neutrinos.azurecr.io

#	Repository Name	Docker Image	Tag
1	trinity-frontend (UI)	neutrinos.azurecr.io/trinity/trinity-frontend/ui	26.04.4.9.0-dhi
2	trinity-frontend (API)	neutrinos.azurecr.io/trinity/trinity-frontend/api	26.04.4.9.0-dhi
3	trinity-orchestrator	neutrinos.azurecr.io/trinity/trinity-orchestrator	26.04.4.9.0-dhi
4	trinity-db-operations	neutrinos.azurecr.io/trinity/trinity-db-operations	26.04.4.9.0-dhi
5	trinity-deployments	neutrinos.azurecr.io/trinity/trinity-deployments	26.04.4.9.0-dhi
6	trinity-promscale-connector	neutrinos.azurecr.io/trinity/trinity-promscale-connector	26.04.4.9.0-dhi
7	trinity-alerts-email-service	neutrinos.azurecr.io/trinity/trinity-alerts-email-service	26.04.4.9.0-dhi
8	trinity-app-logs	neutrinos.azurecr.io/trinity/trinity-app-logs	26.04.4.9.0-dhi
9	trinity-assets-orchestrator	neutrinos.azurecr.io/trinity/trinity-assets-orchestrator	26.04.4.9.0-dhi
10	alerts-base-app (runtime)	neutrinos.azurecr.io/trinity/alerts-base-app	26.04.4.9.0-dhi

Breaking Changes

Removed sub-charts — If your deployment relied on the bundled postgresql, elasticsearch, prometheus, jaeger, kibana, cert-manager, trinity-db, kube-state-metrics, rabbitmq, or redis charts, you must now manage these independently.
Customer-specific images — trinity-user-management, trinity-license-agent (frontend/backend), identity-server-v2, and trinity-asset-orchestrator image values must be configured per deployment as these are customer-specific.

Summary

Category	Change
Vulnerabilities	Rebuilt images with Node.js 24 + hardened base images, upgraded axios & typeorm, eliminated unused sub-chart images. See attached Trivy report for full details.
Security	Pinned all `:latest` utility images to explicit versions (`kubectl:1.35.3`, `curl:8.19.0`)
Images	All Trinity app images rebuilt as `26.04.4.9.0-dhi` on `backend-base:node24-dhi` / `frontend-base:nginx-alpine`; cleared unversioned images to force explicit configuration
Chart Cleanup	Removed 12+ unused sub-charts (controller + runtime) and 4 standalone charts; deleted their config from values
Template Fix	Added nil-safe patterns in cleanup job template for removed chart values
Runtime	Disabled `trinityLicenseAgent` by default; changed alerts-base-app image repository