fix(docker): purge uv wheel cache after opencv swap [security]

CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.1.5
+
+### Security
+
+- **Purge uv wheel cache after opencv swap**: The 0.1.4 Dockerfile uninstalled the PyPI `opencv-python` wheel and installed the ffmpeg-free replacement, but the original wheel's extracted contents (including `libavcodec.so.59.*` and friends) remained in `~/.cache/uv/archive-v0/…/opencv_python.libs/`. Image scanners still flagged the 14 ffmpeg CVEs because they walk the whole filesystem. Added `uv cache clean` at the end of the opencv replacement `RUN` so the vulnerable libs are evicted from the final image layer.
+
 ## 0.1.4
 
 ### Security

Dockerfile

@@ -113,7 +113,15 @@ RUN ARCH=$(uname -m) && \
       uv pip uninstall "$pkg" 2>/dev/null || true; \
     done && \
     uv pip install --no-deps /tmp/"${WHEEL}" && \
-    rm /tmp/"${WHEEL}"
+    rm /tmp/"${WHEEL}" && \
+    # `uv pip uninstall` only drops the package from site-packages; the wheel
+    # cache under ~/.cache/uv still holds the extracted opencv-python archive
+    # (including its bundled `.libs/libavcodec.so.59.*` + friends). Scanners
+    # see those files and still flag the 14 ffmpeg CVEs even though nothing
+    # links against them at runtime. Wipe the cache so the image layer no
+    # longer contains the vulnerable libs. Safe because UV_LINK_MODE=copy
+    # ensures installed files are independent copies, not cache hardlinks.
+    uv cache clean
 
 COPY --chown=${NB_USER}:${NB_USER} CHANGELOG.md CHANGELOG.md
 COPY --chown=${NB_USER}:${NB_USER} logger_config.yaml logger_config.yaml

prepline_general/api/__version__.py

@@ -1 +1 @@
-__version__ = "0.1.4"  # pragma: no cover
+__version__ = "0.1.5"  # pragma: no cover