build: fix cross-span and setuptools CVEs (#2107)

Fixes  CVE-2024-21538 and CVE-2024-6345 .
b/430729479

* use python:3.10.18-bullseye for PHP base to fix Kokoro failure

Author: meltsufin

docker/owlbot/nodejs/Dockerfile

@@ -58,6 +58,9 @@ RUN curl -fsSL https://deb.nodesource.com/setup_18.x | bash - && \
     apt-get install -y nodejs && \
     rm -rf /var/lib/apt/lists/*
 
+# Remove unnecessary cross-spawn from npm to resolve CVE-2024-21538
+RUN rm -r /usr/lib/node_modules/npm/node_modules/cross-spawn
+
 # Verify Node.js and npm installations
 RUN node --version
 RUN npm --version
@@ -82,6 +85,7 @@ RUN pip install --require-hashes -r /synthtool/requirements.txt
 # since it does not include a fix for CVE-2025-47273/CVE-2025-47273.
 RUN rm -rf /venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl
 RUN rm -rf /venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl
+RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl
 
 # Set PYTHONPATH to ensure synthtool can be found by Python scripts.
 # Include the virtual environment's site-packages for completeness, though

docker/owlbot/php/Dockerfile

@@ -16,7 +16,7 @@
 
 # build from the root of this repo:
 # docker build -t gcr.io/repo-automation-bots/owlbot-php -f docker/owlbot/php/Dockerfile .
-FROM python:3.10.6-buster
+FROM python:3.10.18-bullseye
 
 WORKDIR /
 

docker/owlbot/php/container_test.yaml

@@ -17,7 +17,7 @@ commandTests:
 - name: "python"
   command: "python"
   args: ["--version"]
-  expectedOutput: ["Python 3.10.6"]
+  expectedOutput: ["Python 3.10.18"]
 - name: "php synthtool validation"
   command: "python"
   # Use YAML List Style for this command