fix(docker): Bump versions (python 3.11, alpine 3.20) #10280
Conversation
|
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request focus on updating the base Docker images used for the various components of the application, including the NGINX-based container, the Django-based container, and the integration test container. The primary updates are to the base Python image, which has been upgraded to the latest 3.11.9 version in most cases. From an application security perspective, these changes are generally positive as they ensure the application is running on the most up-to-date and secure base images, which should include the latest security patches and bug fixes. Additionally, the Dockerfiles include various security-conscious practices, such as setting appropriate file permissions, managing sensitive environment variables, and running unit tests. However, it's important to review the entire application and deployment process to ensure there are no other potential security vulnerabilities, such as issues with the NGINX configuration, the handling of static assets, or the installation and use of additional dependencies (e.g., Node.js and Yarn). Ongoing monitoring and maintenance of the application's security posture is also crucial to address any newly discovered vulnerabilities in the base images or the application's dependencies. Files Changed:
Powered by DryRun Security |
|
@kiblik I agree about bumping these to a later Alpine version but would like to stick with Python 3.11 since that's the tested version of Python. I'd prefer to handle these one at a time - first do the Alpine part, then consider bumping the Python version instead of doing both in one PR. Looking at the available Python 3.11 containers, this one seems to fit the bill: And uses Alpine 20 so we'd be good to 2026. Once this PR is merged we can look at rev'ing the Python version separately. I wanted to comment to let others chime in before requesting a change to python:3.11.9-alpine |
No problem @mtesauro. I updated all Pythons to 3.11.9 and all alpines to 3.20. PR is ready. |
kiblik
changed the title
Looks like Renovate and/or Dependabot are not able to identify higher versions
This should be addressed somehow, for now, let's fix it by hand.
Fix for #10277