From f73143dfe2a52aa38d534f630eebf35bed9ee2fe Mon Sep 17 00:00:00 2001
From: Lawrence Elitzer <lawrence@unstructured.io>
Date: Wed, 22 Apr 2026 17:12:08 -0500
Subject: [PATCH] fix(docker): purge uv wheel cache after opencv swap
 [security]

The 0.1.4 fix uninstalled opencv-python and installed the ffmpeg-free
replacement, but the original wheel's extracted contents remained in
~/.cache/uv/archive-v0/.../opencv_python.libs/ (libavcodec.so.59.*,
libavformat, libavutil, libswscale, libswresample, libavfilter,
libavdevice). Image scanners walk the whole filesystem and still flagged
the 14 ffmpeg CVEs from those cache files even though nothing links
against them at runtime.

Add `uv cache clean` at the end of the opencv replacement RUN so the
vulnerable libs are evicted from the final image layer. Safe because
UV_LINK_MODE=copy ensures installed files are independent copies, not
cache hardlinks.

Bumps service version 0.1.4 -> 0.1.5.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                        |  6 ++++++
 Dockerfile                          | 10 +++++++++-
 prepline_general/api/__version__.py |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7629fcb7..a1306114 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.1.5
+
+### Security
+
+- **Purge uv wheel cache after opencv swap**: The 0.1.4 Dockerfile uninstalled the PyPI `opencv-python` wheel and installed the ffmpeg-free replacement, but the original wheel's extracted contents (including `libavcodec.so.59.*` and friends) remained in `~/.cache/uv/archive-v0/…/opencv_python.libs/`. Image scanners still flagged the 14 ffmpeg CVEs because they walk the whole filesystem. Added `uv cache clean` at the end of the opencv replacement `RUN` so the vulnerable libs are evicted from the final image layer.
+
 ## 0.1.4
 
 ### Security
diff --git a/Dockerfile b/Dockerfile
index 2fecd9a7..460e9896 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -113,7 +113,15 @@ RUN ARCH=$(uname -m) && \
       uv pip uninstall "$pkg" 2>/dev/null || true; \
     done && \
     uv pip install --no-deps /tmp/"${WHEEL}" && \
-    rm /tmp/"${WHEEL}"
+    rm /tmp/"${WHEEL}" && \
+    # `uv pip uninstall` only drops the package from site-packages; the wheel
+    # cache under ~/.cache/uv still holds the extracted opencv-python archive
+    # (including its bundled `.libs/libavcodec.so.59.*` + friends). Scanners
+    # see those files and still flag the 14 ffmpeg CVEs even though nothing
+    # links against them at runtime. Wipe the cache so the image layer no
+    # longer contains the vulnerable libs. Safe because UV_LINK_MODE=copy
+    # ensures installed files are independent copies, not cache hardlinks.
+    uv cache clean
 
 COPY --chown=${NB_USER}:${NB_USER} CHANGELOG.md CHANGELOG.md
 COPY --chown=${NB_USER}:${NB_USER} logger_config.yaml logger_config.yaml
diff --git a/prepline_general/api/__version__.py b/prepline_general/api/__version__.py
index ecfc1a30..bb114aa9 100644
--- a/prepline_general/api/__version__.py
+++ b/prepline_general/api/__version__.py
@@ -1 +1 @@
-__version__ = "0.1.4"  # pragma: no cover
+__version__ = "0.1.5"  # pragma: no cover