fix(docker): purge uv wheel cache after opencv swap [security]

lawrence-u10d · claude · lawrence-u10d · commit f73143dfe2a5 · 2026-04-22T17:12:08.000-05:00
The 0.1.4 fix uninstalled opencv-python and installed the ffmpeg-free
replacement, but the original wheel's extracted contents remained in
~/.cache/uv/archive-v0/.../opencv_python.libs/ (libavcodec.so.59.*,
libavformat, libavutil, libswscale, libswresample, libavfilter,
libavdevice). Image scanners walk the whole filesystem and still flagged
the 14 ffmpeg CVEs from those cache files even though nothing links
against them at runtime.

Add `uv cache clean` at the end of the opencv replacement RUN so the
vulnerable libs are evicted from the final image layer. Safe because
UV_LINK_MODE=copy ensures installed files are independent copies, not
cache hardlinks.

Bumps service version 0.1.4 -&gt; 0.1.5.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.1.5
+
+### Security
+
+- **Purge uv wheel cache after opencv swap**: The 0.1.4 Dockerfile uninstalled the PyPI `opencv-python` wheel and installed the ffmpeg-free replacement, but the original wheel's extracted contents (including `libavcodec.so.59.*` and friends) remained in `~/.cache/uv/archive-v0/…/opencv_python.libs/`. Image scanners still flagged the 14 ffmpeg CVEs because they walk the whole filesystem. Added `uv cache clean` at the end of the opencv replacement `RUN` so the vulnerable libs are evicted from the final image layer.
+
 ## 0.1.4
 
 ### Security
diff --git a/Dockerfile b/Dockerfile
@@ -113,7 +113,15 @@ RUN ARCH=$(uname -m) && \
       uv pip uninstall "$pkg" 2>/dev/null || true; \
     done && \
     uv pip install --no-deps /tmp/"${WHEEL}" && \
-    rm /tmp/"${WHEEL}"
+    rm /tmp/"${WHEEL}" && \
+    # `uv pip uninstall` only drops the package from site-packages; the wheel
+    # cache under ~/.cache/uv still holds the extracted opencv-python archive
+    # (including its bundled `.libs/libavcodec.so.59.*` + friends). Scanners
+    # see those files and still flag the 14 ffmpeg CVEs even though nothing
+    # links against them at runtime. Wipe the cache so the image layer no
+    # longer contains the vulnerable libs. Safe because UV_LINK_MODE=copy
+    # ensures installed files are independent copies, not cache hardlinks.
+    uv cache clean
 
 COPY --chown=${NB_USER}:${NB_USER} CHANGELOG.md CHANGELOG.md
 COPY --chown=${NB_USER}:${NB_USER} logger_config.yaml logger_config.yaml
diff --git a/prepline_general/api/__version__.py b/prepline_general/api/__version__.py
@@ -1 +1 @@
-__version__ = "0.1.4"  # pragma: no cover
+__version__ = "0.1.5"  # pragma: no cover

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.1.4" # pragma: no cover`
	`1`	`+__version__ = "0.1.5" # pragma: no cover`