Skip to content

fix: apply OS security updates to base images at build time#8100

Open
rickbijkerk wants to merge 2 commits into
graphql-hive:mainfrom
rickbijkerk:fix/apt-upgrade-base-image-cves
Open

fix: apply OS security updates to base images at build time#8100
rickbijkerk wants to merge 2 commits into
graphql-hive:mainfrom
rickbijkerk:fix/apt-upgrade-base-image-cves

Conversation

@rickbijkerk

@rickbijkerk rickbijkerk commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Background

The node:*-slim based Dockerfiles run apt-get update followed only by apt-get install of a few specific packages — they never run apt-get upgrade. Combined with a pinned base tag, this means OS packages inherited from the base image are frozen at its snapshot and never receive Debian security updates, so published images ship known-fixed CVEs in the base layer.

Bumping the base image tag alone doesn't reliably fix this, since the latest tag can still lag behind Debian's security patches.

Description

Add apt-get upgrade -y to the existing apt-get step in the service, migrations and CLI Dockerfiles so OS packages are patched at build time. Also adds the missing rm -rf /var/lib/apt/lists/* cleanup to migrations.dockerfile for consistency.

No application code changes — affects the published Docker images only.

Checklist

  • System configuration

The service, migrations and CLI Dockerfiles ran apt-get update followed
only by apt-get install of a few specific packages, so Debian security
patches inherited from the pinned node:*-slim base image were never
applied. Add apt-get upgrade so published images pick up fixed OS
packages at build time.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the CLI, migrations, and services Dockerfiles to run apt-get upgrade during build. To keep the resulting Docker images as small as possible, the --no-install-recommends flag should be added to the apt-get upgrade and apt-get install commands in all three Dockerfiles.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docker/cli.dockerfile Outdated
Comment thread docker/migrations.dockerfile Outdated
Comment thread docker/services.dockerfile Outdated
@n1ru4l n1ru4l mentioned this pull request Jun 2, 2026
@n1ru4l n1ru4l requested a review from dotansimha June 2, 2026 12:45
@dotansimha

Copy link
Copy Markdown
Member

Hi @rickbijkerk , thanks for opening the PR, but I have some takeaways from using this approach:

The node:*-slim based Dockerfiles run apt-get update followed only by apt-get install of a few specific packages — they never run apt-get upgrade. Combined with a pinned base tag, this means OS packages inherited from the base image are frozen at its snapshot and never receive Debian security updates, so published images ship known-fixed CVEs in the base layer.

This could also introduce CVEs from zero-days or other packages that we don't control. And since it's not a runtime dependency, but an immutable Docker, it might end up with similar situation.

Bumping the base image tag alone doesn't reliably fix this, since the latest tag can still lag behind Debian's security patches.

I think at the moment we can begin with bumping the base image, and update specific pkg. Do you have specific packages that needs to be updated in the current image? We can use these explicitly.

Description

Add apt-get upgrade -y to the existing apt-get step in the service, migrations and CLI Dockerfiles so OS packages are patched at build time. Also adds the missing rm -rf /var/lib/apt/lists/* cleanup to migrations.dockerfile for consistency.

No application code changes — affects the published Docker images only.

This might also break Docker caching in our CI (because this runs as a first step, and Docker's layered caching is based on the order of the layers...)

@rickbijkerk

rickbijkerk commented Jun 3, 2026

Copy link
Copy Markdown
Contributor Author

Hey @dotansimha

I think at the moment we can begin with bumping the base image, and update specific pkg. Do you have specific packages that needs to be updated in the current image? We can use these explicitly.

That would indeed already be nice, as for specific packages the "libgnutls30, libgcrypt20" came up on our end which from what i can tell wouldnt be solved by just bumping the base image.

This might also break Docker caching in our CI (because this runs as a first step, and Docker's layered caching is based on the order of the layers...)
i also do understand this argument its a hard balancing act after all

How would you like to continue from here, will you guys take over and we close this MR ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants