Skip to content

[Snyk] Security upgrade python from 3.10-slim to 3.13.3-slim #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
KB01111 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade python from 3.10-slim to 3.13.3-slim #2

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# syntax=docker/dockerfile:1.4

# ---- Build stage ----
FROM python:3.10-slim AS builder
FROM python:3.13.3-slim AS builder
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Upgrading the Python version in the builder stage to 3.13.3-slim is a good step for security. However, this change necessitates an update to how dependencies are copied to the production stage.

Critical Issue:
Currently, line 24 of the Dockerfile (which is not part of this diff but is directly affected by this change) is:

COPY --from=builder /usr/local/lib/python3.10/site-packages /usr/local/lib/python3.10/site-packages

With Python 3.13.3 in the builder stage (this line) and also in the production stage (line 15), the source path for site-packages from the builder and the destination path in the production image are now incorrect. They will still point to a Python 3.10 directory, but the Python runtime and installed packages will be for 3.13.

Could you please ensure that line 24 is updated to correctly reference Python 3.13 paths? It should likely be:

COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages

Without this change, the application will likely fail to find its dependencies in the production image, leading to runtime errors.

Suggestion for Future Maintainability (Medium Severity):
To make future Python version upgrades easier and less error-prone, consider using ARG to define the Python version and use it consistently throughout the Dockerfile. For example:

ARG PYTHON_FULL_VERSION=3.13.3
ARG PYTHON_MAJOR_MINOR_VERSION=3.13 # Derived from PYTHON_FULL_VERSION

# ---- Build stage ----
FROM python:${PYTHON_FULL_VERSION}-slim AS builder
# ...
# ---- Production image ----
FROM python:${PYTHON_FULL_VERSION}-slim
# ...
# Copy installed packages from builder
# Note: You'd need to ensure PYTHON_MAJOR_MINOR_VERSION is available in this scope
# or re-declare ARGs in each stage if they don't persist.
COPY --from=builder /usr/local/lib/python${PYTHON_MAJOR_MINOR_VERSION}/site-packages /usr/local/lib/python${PYTHON_MAJOR_MINOR_VERSION}/site-packages

This would centralize the version string and reduce the chances of inconsistencies like the current one.

Finally, it's highly recommended to thoroughly test the application after this Python version upgrade to ensure compatibility and functionality.

WORKDIR /app

# System deps for building wheels, psycopg2, etc.
Expand All @@ -12,7 +12,7 @@ COPY requirements-dev.txt ./
RUN pip install --upgrade pip && pip install -r requirements.txt

# ---- Production image ----
FROM python:3.10-slim
FROM python:3.13.3-slim

ENV PYTHONUNBUFFERED=1
WORKDIR /app
Expand Down
Loading