[Snyk] Security upgrade python from 3.13.7-slim to 3.14.1-slim #12
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174592 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174592 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174602 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174602 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174605
Summary of ChangesHello @doublegate, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements an automated security upgrade, updating the Python base image within the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request from Snyk upgrades the Python base image in services/arms/retriever/Dockerfile to address security vulnerabilities. This is a good change, but it introduces a critical issue that will break the Docker build. I've left a specific comment on how to resolve the build failure, which is caused by a hardcoded Python version in a COPY path.
I also noticed that several other Dockerfiles in the repository are using the same outdated Python base image. To ensure consistent security and prevent similar build issues, I recommend upgrading the following files as well, applying the same fix for the hardcoded paths:
services/arms/coder/Dockerfileservices/arms/judge/Dockerfileservices/arms/planner/Dockerfileservices/arms/safety-guardian/Dockerfileservices/orchestrator/Dockerfile
| # syntax=docker/dockerfile:1 | ||
| # Retriever Arm Dockerfile - Multi-stage build for Python service | ||
| FROM python:3.13.7-slim as builder | ||
| FROM python:3.14.1-slim as builder |
There was a problem hiding this comment.
This base image upgrade introduces a build failure. The COPY instruction on line 41 has a hardcoded path for Python 3.13: COPY --from=builder /usr/local/lib/python3.13/site-packages ....
Since the builder stage now uses Python 3.14, this path no longer exists, and the build will fail. The destination path is also incorrect.
To fix this, you need to update the path on line 41 to use python3.14.
A more robust solution for the future would be to use an ARG to define the Python version and use it in both the FROM and COPY instructions. For example:
ARG PYTHON_VERSION=3.14
ARG PYTHON_FULL_VERSION=3.14.1
FROM python:${PYTHON_FULL_VERSION}-slim as builder
...
COPY --from=builder /usr/local/lib/python${PYTHON_VERSION}/site-packages /usr/local/lib/python${PYTHON_VERSION}/site-packages![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| FROM python:3.14.1-slim as builder | ||
|
|
There was a problem hiding this comment.
After bumping the builder base to python:3.14.1-slim, the later COPY still targets /usr/local/lib/python3.13/site-packages (line 41). In Python 3.14 images that path is absent, so the copy step will fail or leave the runtime image without installed dependencies, blocking image builds. Update the source/destination to the 3.14 site-packages path to match the new base image.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Python base image from 3.13.7-slim to 3.14.1-slim in the Retriever service Dockerfile to address OpenSSL vulnerabilities (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232). However, the upgrade is incomplete and will cause the Docker build to fail.
Key Changes:
- Updated both builder and runtime stage FROM statements to use Python 3.14.1-slim
- Addresses 3 low-severity OpenSSL vulnerabilities in the base image
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # syntax=docker/dockerfile:1 | ||
| # Retriever Arm Dockerfile - Multi-stage build for Python service | ||
| FROM python:3.13.7-slim as builder | ||
| FROM python:3.14.1-slim as builder |
There was a problem hiding this comment.
The Python version upgrade is incomplete. While the FROM statements have been updated to 3.14.1, line 41 still references the old Python 3.13 directory path:
COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packagesThis line must also be updated to use python3.14 instead of python3.13, otherwise the Docker build will fail when trying to copy from a non-existent directory:
COPY --from=builder /usr/local/lib/python3.14/site-packages /usr/local/lib/python3.14/site-packages
Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
services/arms/retriever/DockerfileWe recommend upgrading to
python:3.14.1-slim, as this image has only 23 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN13-OPENSSL-13174592
SNYK-DEBIAN13-OPENSSL-13174592
SNYK-DEBIAN13-OPENSSL-13174602
SNYK-DEBIAN13-OPENSSL-13174602
SNYK-DEBIAN13-OPENSSL-13174605
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.