diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 99edd3865..7285d0327 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1 +1 @@
-FROM ghcr.io/containerbase/devcontainer:13.2.2
+FROM ghcr.io/containerbase/devcontainer:13.2.3
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index a8363b422..258aaed8b 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -24,6 +24,6 @@ jobs:
           format: 'sarif'
           output: 'trivy-results.sarif'
 
-      - uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+      - uses: github/codeql-action/upload-sarif@babb554ede22fd5605947329c4d04d8e7a0b8155 # v3.27.7
         with:
           sarif_file: trivy-results.sarif
diff --git a/package.json b/package.json
index 014b8576b..f12eefccb 100644
--- a/package.json
+++ b/package.json
@@ -45,7 +45,7 @@
     "common-tags": "1.8.2",
     "deepmerge": "4.3.1",
     "del": "8.0.0",
-    "execa": "9.5.1",
+    "execa": "9.5.2",
     "global-agent": "3.0.0",
     "got": "14.4.5",
     "ini": "5.0.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 0a94b8798..f8c6c60a1 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -41,8 +41,8 @@ importers:
         specifier: 8.0.0
         version: 8.0.0
       execa:
-        specifier: 9.5.1
-        version: 9.5.1
+        specifier: 9.5.2
+        version: 9.5.2
       global-agent:
         specifier: 3.0.0
         version: 3.0.0
@@ -1611,8 +1611,8 @@ packages:
     resolution: {integrity: sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==}
     engines: {node: '>=16.17'}
 
-  execa@9.5.1:
-    resolution: {integrity: sha512-QY5PPtSonnGwhhHDNI7+3RvY285c7iuJFFB+lU+oEzMY/gEGJ808owqJsrr8Otd1E/x07po1LkUBmdAc5duPAg==}
+  execa@9.5.2:
+    resolution: {integrity: sha512-EHlpxMCpHWSAh1dgS6bVeoLAXGnJNdR93aabr4QCGbzOM73o5XmRfM/e5FUqsw3aagP8S8XEWUWFAxnRBnAF0Q==}
     engines: {node: ^18.19.0 || >=20.5.0}
 
   expand-template@2.0.3:
@@ -4067,7 +4067,7 @@ snapshots:
     dependencies:
       '@semantic-release/error': 4.0.0
       aggregate-error: 5.0.0
-      execa: 9.5.1
+      execa: 9.5.2
       fs-extra: 11.2.0
       lodash-es: 4.17.21
       nerf-dart: 1.0.0
@@ -5113,7 +5113,7 @@ snapshots:
       signal-exit: 4.1.0
       strip-final-newline: 3.0.0
 
-  execa@9.5.1:
+  execa@9.5.2:
     dependencies:
       '@sindresorhus/merge-streams': 4.0.0
       cross-spawn: 7.0.6
@@ -6403,7 +6403,7 @@ snapshots:
       cosmiconfig: 9.0.0(typescript@5.7.2)
       debug: 4.4.0
       env-ci: 11.1.0
-      execa: 9.5.1
+      execa: 9.5.2
       figures: 6.1.0
       find-versions: 6.0.0
       get-stream: 6.0.1
diff --git a/src/cli/tools/java/index.ts b/src/cli/tools/java/index.ts
index 95c957ded..4a89996d7 100644
--- a/src/cli/tools/java/index.ts
+++ b/src/cli/tools/java/index.ts
@@ -100,7 +100,7 @@ export class JavaPrepareService extends BasePrepareService {
     await createMavenSettings(this.pathSvc);
     await createGradleSettings(this.pathSvc);
 
-    if (!(await this.pathSvc.toolEnvExists(this.name))) {
+    if (!(await this.pathSvc.toolEnvExists('gradle'))) {
       // fix: Failed to load native library 'libnative-platform.so' for Linux amd64.
       await this.pathSvc.exportToolEnv(
         'gradle',
diff --git a/src/usr/local/containerbase/utils/v2/defaults.sh b/src/usr/local/containerbase/utils/v2/defaults.sh
index 78b615080..cb56429b4 100644
--- a/src/usr/local/containerbase/utils/v2/defaults.sh
+++ b/src/usr/local/containerbase/utils/v2/defaults.sh
@@ -8,11 +8,7 @@
 # Is used to check if all requirements are met to install the tool
 function check_tool_requirements () {
   # Sensitive default that can be overwritten by tools if needed
-  check_semver "${TOOL_VERSION}"
-  if [[ ! "${MAJOR}" || ! "${MINOR}" || ! "${PATCH}" ]]; then
-    echo Invalid version: "${TOOL_VERSION}"
-    exit 1
-  fi
+  check_semver "${TOOL_VERSION}" all
 }
 
 # Is used to check if the tool has already been installed in the given version
diff --git a/test/Dockerfile.distro b/test/Dockerfile.distro
index d4af620b8..7c1baaac5 100644
--- a/test/Dockerfile.distro
+++ b/test/Dockerfile.distro
@@ -45,7 +45,7 @@ RUN prepare-tool all
 FROM build AS test
 
 # renovate: datasource=github-releases packageName=bazelbuild/bazelisk
-RUN install-tool bazelisk v1.24.1
+RUN install-tool bazelisk v1.25.0
 
 # renovate: datasource=npm
 RUN install-tool bun 1.1.38
@@ -84,7 +84,7 @@ RUN install-tool helm v3.16.3
 RUN install-tool helmfile v0.169.2
 
 # renovate: datasource=github-releases packageName=kubernetes/kubernetes
-RUN install-tool kubectl v1.31.3
+RUN install-tool kubectl v1.31.4
 
 # renovate: datasource=github-releases packageName=kubernetes-sigs/kustomize
 RUN install-tool kustomize 5.5.0
diff --git a/test/java/Dockerfile b/test/java/Dockerfile
index 123418283..0934e97f9 100644
--- a/test/java/Dockerfile
+++ b/test/java/Dockerfile
@@ -226,6 +226,25 @@ RUN install-tool gradle
 RUN install-tool maven
 
 
+#--------------------------------------
+# test: readonly
+#--------------------------------------
+FROM base AS test-readonly
+
+RUN prepare-tool java
+
+# fake reaonly
+RUN set -ex; \
+  chmod -R g-w /opt/containerbase; \
+  chown -R root /opt/containerbase; \
+  rm -rf /tmp/containerbase; \
+  true
+
+USER 12021
+
+RUN ls -la /tmp
+RUN containerbase-cli init tool java
+
 #--------------------------------------
 # final
 #--------------------------------------
@@ -238,3 +257,4 @@ COPY --from=test-gradle-d /.dummy /.dummy
 COPY --from=test-maven-a /.dummy /.dummy
 COPY --from=test-others /.dummy /.dummy
 COPY --from=test-latest-version /.dummy /.dummy
+COPY --from=test-readonly /.dummy /.dummy
diff --git a/test/latest/Dockerfile b/test/latest/Dockerfile
index 42abc975f..e8c210988 100644
--- a/test/latest/Dockerfile
+++ b/test/latest/Dockerfile
@@ -210,7 +210,7 @@ RUN set -ex; [ -d /usr/local/erlang ] && echo "works" || exit 1;
 FROM base AS teste
 
 # renovate: datasource=github-releases packageName=bazelbuild/bazelisk
-RUN install-tool bazelisk v1.24.1
+RUN install-tool bazelisk v1.25.0
 
 # renovate: datasource=npm
 RUN install-tool bun 1.1.38
@@ -222,7 +222,7 @@ RUN install-tool devbox 0.13.7
 RUN install-tool gleam 1.6.3
 
 # renovate: datasource=github-releases packageName=kubernetes/kubernetes
-RUN install-tool kubectl v1.31.3
+RUN install-tool kubectl v1.31.4
 
 # renovate: datasource=github-releases packageName=containerbase/skopeo-prebuild
 RUN install-tool skopeo 1.17.0
diff --git a/test/latest/Dockerfile.arm64 b/test/latest/Dockerfile.arm64
index 7d343a4bd..c534fdf3d 100644
--- a/test/latest/Dockerfile.arm64
+++ b/test/latest/Dockerfile.arm64
@@ -38,7 +38,7 @@ ARG CONTAINERBASE_LOG_LEVEL
 FROM base AS test-bazelisk
 
 # renovate: datasource=github-releases packageName=bazelbuild/bazelisk
-RUN install-tool bazelisk v1.24.1
+RUN install-tool bazelisk v1.25.0
 
 #--------------------------------------
 # Image: bun
@@ -126,7 +126,7 @@ RUN install-tool vendir v0.43.0
 FROM base AS test-others
 
 # renovate: datasource=github-releases packageName=kubernetes/kubernetes
-RUN install-tool kubectl v1.31.3
+RUN install-tool kubectl v1.31.4
 
 # renovate: datasource=github-releases packageName=containerbase/skopeo-prebuild
 RUN install-tool skopeo 1.17.0
diff --git a/tools/test.js b/tools/test.js
index 1e4e3a52a..1e55f5032 100644
--- a/tools/test.js
+++ b/tools/test.js
@@ -33,7 +33,7 @@ class TestCommand extends Command {
     if (this.debug) {
       shell.echo('Debug mode enabled');
       env.CONTAINERBASE_DEBUG = '1';
-      env.BUILDKIT_PROGRESS = '1';
+      env.BUILDKIT_PROGRESS = 'plain';
     }
 
     if (this.logLevel) {