fix: apply OS security updates to base images at build time#8100
fix: apply OS security updates to base images at build time#8100rickbijkerk wants to merge 2 commits into
Conversation
The service, migrations and CLI Dockerfiles ran apt-get update followed only by apt-get install of a few specific packages, so Debian security patches inherited from the pinned node:*-slim base image were never applied. Add apt-get upgrade so published images pick up fixed OS packages at build time.
There was a problem hiding this comment.
Code Review
This pull request updates the CLI, migrations, and services Dockerfiles to run apt-get upgrade during build. To keep the resulting Docker images as small as possible, the --no-install-recommends flag should be added to the apt-get upgrade and apt-get install commands in all three Dockerfiles.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Hi @rickbijkerk , thanks for opening the PR, but I have some takeaways from using this approach:
This could also introduce CVEs from zero-days or other packages that we don't control. And since it's not a runtime dependency, but an immutable Docker, it might end up with similar situation.
I think at the moment we can begin with bumping the base image, and update specific pkg. Do you have specific packages that needs to be updated in the current image? We can use these explicitly.
This might also break Docker caching in our CI (because this runs as a first step, and Docker's layered caching is based on the order of the layers...) |
|
Hey @dotansimha
That would indeed already be nice, as for specific packages the "libgnutls30, libgcrypt20" came up on our end which from what i can tell wouldnt be solved by just bumping the base image.
How would you like to continue from here, will you guys take over and we close this MR ? |
Background
The
node:*-slimbased Dockerfiles runapt-get updatefollowed only byapt-get installof a few specific packages — they never runapt-get upgrade. Combined with a pinned base tag, this means OS packages inherited from the base image are frozen at its snapshot and never receive Debian security updates, so published images ship known-fixed CVEs in the base layer.Bumping the base image tag alone doesn't reliably fix this, since the latest tag can still lag behind Debian's security patches.
Description
Add
apt-get upgrade -yto the existingapt-getstep in the service, migrations and CLI Dockerfiles so OS packages are patched at build time. Also adds the missingrm -rf /var/lib/apt/lists/*cleanup tomigrations.dockerfilefor consistency.No application code changes — affects the published Docker images only.
Checklist