Skip to content

Commit e1493c1

Browse files
jacksecengjackseceng
authored
Merge pull request #496 from jackseceng/3.15.0a6-upgrade
fix(python-vulns): Compiling python from source in dockerfile to avoi…
2 parents 53385c0 + 0cf71a7 commit e1493c1

1 file changed

Lines changed: 22 additions & 7 deletions

File tree

Dockerfile

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,35 @@
11
# Stage 1: Build stage environment using alpine python Image
2-
FROM python:3.14-alpine3.22 AS build-env
2+
FROM alpine:3.22 AS build-env
33

44
# Set build directory
55
WORKDIR /build
66

77
# Copy application files
88
COPY . .
99

10-
# Install python dependencies into a target directory
10+
# Build Python 3.15.0a6 and apk dependencies from source
1111
RUN set -e; \
1212
apk add --no-cache \
1313
build-base=0.5-r3 \
1414
cmake=3.31.7-r1 \
1515
coreutils=9.7-r1 \
16-
libffi-dev=3.4.8-r0; \
17-
pip install --no-cache-dir --upgrade 'pip==26.0'; \
18-
pip install --no-cache-dir -r requirements.txt --target /packages;
16+
libffi-dev=3.4.8-r0 \
17+
openssl-dev=3.5.5-r0 \
18+
zlib-dev=1.3.1-r2 \
19+
bzip2-dev=1.0.8-r6 \
20+
xz-dev=5.8.1-r0 \
21+
wget=1.25.0-r1; \
22+
wget --progress=dot:giga https://www.python.org/ftp/python/3.15.0/Python-3.15.0a6.tgz; \
23+
tar -xzf Python-3.15.0a6.tgz; \
24+
./Python-3.15.0a6/configure --prefix=/usr/local --enable-shared --with-ensurepip=install; \
25+
make -j"$(nproc)"; \
26+
make install; \
27+
ln -s /usr/local/bin/python3.15 /usr/local/bin/python;
28+
29+
# Install python dependencies into a target directory
30+
RUN set -e; \
31+
pip3.15 install --no-cache-dir --upgrade 'pip==26.0'; \
32+
PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 pip3.15 install --no-cache-dir -r requirements.txt --target /packages;
1933

2034

2135
# Stage 2: Runtime Stage using scratch Image
@@ -24,12 +38,13 @@ FROM scratch
2438
# Copy necessary system libraries and interpreter from build-env
2539
COPY --from=build-env /lib/ld-musl-x86_64.so.1 /lib/ld-musl-x86_64.so.1
2640
COPY --from=build-env /lib/libc.musl-x86_64.so.1 /lib/libc.musl-x86_64.so.1
27-
COPY --from=build-env /usr/local/lib/libpython3.14.so.1.0 /usr/local/lib/libpython3.14.so.1.0
28-
COPY --from=build-env /usr/local/lib/python3.14 /usr/local/lib/python3.14
41+
COPY --from=build-env /usr/local/lib/libpython3.15.so.1.0 /usr/local/lib/libpython3.15.so.1.0
42+
COPY --from=build-env /usr/local/lib/python3.15 /usr/local/lib/python3.15
2943
COPY --from=build-env /usr/lib/libssl.so.3 /usr/lib/libssl.so.3
3044
COPY --from=build-env /usr/lib/libcrypto.so.3 /usr/lib/libcrypto.so.3
3145
COPY --from=build-env /usr/lib/libz.so.1 /usr/lib/libz.so.1
3246
COPY --from=build-env /usr/lib/libgcc_s.so.1 /usr/lib/libgcc_s.so.1
47+
COPY --from=build-env /usr/lib/libffi.so.8 /usr/lib/libffi.so.8
3348

3449
# Copy Python installation
3550
COPY --from=build-env /usr/local/bin/python /usr/local/bin/python

0 commit comments

Comments
 (0)