fix: update base image and dependencies for improved stability

Zalfsten · Zalfsten · commit e9787af47aed · 2026-02-11T09:51:04.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Use secure Wolfi base image (without Python installed)
-FROM cgr.dev/chainguard/wolfi-base@sha256:e1d402d624011d0f4439bfb0d46a3ddc692465103c7234a326e0194953c3cfe0 AS builder
+FROM cgr.dev/chainguard/wolfi-base@sha256:1c56f3ceb1c9929611a1cc7ab7a5fde1ec5df87add282029cd1596b8eae5af67 AS builder
 # Do not cache the Python bytecode (aka don't create__pycache__ folders)
 ENV PYTHONDONTWRITEBYTECODE=1
 # Do not buffer stdout/stderr
@@ -8,11 +8,11 @@ ENV PYTHONUNBUFFERED=1
 WORKDIR /middleware
 # Install python and needed build tools
 RUN apk add --no-cache \
-    python-3.12=3.12.10-r0 \
-    py3.12-pip=25.1-r0 \
-    python-3.12-dev=3.12.10-r0 \
-    jq=1.8.1-r2 \
-    build-base=1-r8
+    python-3.12=3.12.12-r4 \
+    py3.12-pip=26.0.1-r0 \
+    python-3.12-dev=3.12.12-r4 \
+    jq=1.8.1-r3 \
+    build-base=1-r9
 # Set the user to nonroot. It's defined in the Wolfi base image with the user id 65532
 USER nonroot
 # Copy the requirements.txt file to the container
@@ -23,7 +23,7 @@ RUN pip install --no-cache-dir -r requirements.txt --user
 # Actually we would like to use the Wolfi python image for the runtime as it contains even less software (e.g. no shell)
 # and thus a smaller attack surface. Unfortunately the Wolfi project only features the current development versions of
 # images for free. The older but stable python 3.11 is not available.
-FROM cgr.dev/chainguard/wolfi-base@sha256:e1d402d624011d0f4439bfb0d46a3ddc692465103c7234a326e0194953c3cfe0
+FROM cgr.dev/chainguard/wolfi-base@sha256:1c56f3ceb1c9929611a1cc7ab7a5fde1ec5df87add282029cd1596b8eae5af67
 # Set the working directory in the container
 # copy python packages from builder stage
 COPY --from=builder /home/nonroot/.local /home/nonroot/.local
@@ -38,11 +38,11 @@ COPY entrypoint.sh /entrypoint.sh
 # Create output directory (mountpoint)
 # and set permissions of the middleware folder
 RUN apk add --no-cache \
-        python-3.12=3.12.10-r0 \
-        py3.12-setuptools=80.0.0-r0 \
-        git=2.49.0-r1 \
-        jq=1.8.1-r2 \
-        openssh-client=10.0_p1-r0 && \
+        python-3.12=3.12.12-r4 \
+        py3.12-setuptools=82.0.0-r0 \
+        git=2.53.0-r0 \
+        jq=1.8.1-r3 \
+        openssh-client=10.2_p1-r3 && \
     chown -R nonroot:nonroot /middleware /test && \
     chmod +x /entrypoint.sh
 WORKDIR /
