edjson
diff --git a/‎docker/Dockerfile‎
Lines changed: 23 additions & 0 deletions b/‎docker/Dockerfile‎
Lines changed: 23 additions & 0 deletions
@@ -125,6 +125,7 @@ RUN if [ "$INSTALL_UCCL_EP" = "True" ]; then \
 
 # Address base image CVE
 RUN pip install "aiohttp>=3.13.3" \
+        "black>=26.3.1" \
         "jaraco-context>=6.1.0" \
         "nbconvert>=7.17.0" \
         "pillow>=12.1.1" \
@@ -154,6 +155,28 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     uv sync --extra $AUTOMODEL_INSTALL --all-groups $UV_SYNC_ARGS && \
     uv cache prune --ci
 
+# Patch wandb-core: bump google.golang.org/grpc (CVE fix)
+ARG TARGETARCH
+RUN if python3 -c "import wandb" 2>/dev/null; then \
+        GRPC_VERSION=1.79.3 && \
+        GO_VERSION=1.26.1 && \
+        WANDB_VERSION=$(python3 -c "import wandb; print(wandb.__version__)") && \
+        WANDB_CORE_BIN=/opt/venv/lib/python3.12/site-packages/wandb/bin/wandb-core && \
+        curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-${TARGETARCH}.tar.gz" | tar -C /tmp -xz && \
+        export PATH="/tmp/go/bin:$PATH" && \
+        export GOPATH=/tmp/gopath && \
+        git clone --depth 1 --branch "v${WANDB_VERSION}" https://github.com/wandb/wandb.git /tmp/wandb-src && \
+        cd /tmp/wandb-src/core && \
+        go get google.golang.org/grpc@v${GRPC_VERSION} && \
+        go mod tidy && \
+        go mod vendor && \
+        CGO_ENABLED=0 GOOS=linux GOARCH=${TARGETARCH} go build -trimpath -ldflags="-s -w" \
+            -o "${WANDB_CORE_BIN}" ./cmd/wandb-core/ && \
+        rm -rf /tmp/wandb-src /tmp/go /tmp/gopath; \
+    else \
+        echo "wandb not installed, skipping CVE patch"; \
+    fi
+
 COPY . /opt/Automodel
 
 WORKDIR /opt/Automodel