[Snyk] Security upgrade python from 3.13.7-slim to 3.14.2-slim #16
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174592 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174592 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174602 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174605 - https://snyk.io/vuln/SNYK-DEBIAN13-OPENSSL-13174605
Summary of ChangesHello @doublegate, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements a security-driven upgrade of the Python base image used in the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request from Snyk upgrades the Python base image to 3.14.2-slim to address security vulnerabilities. This is a valuable update. However, the change as proposed will break the Docker build for the planner service because a path in a COPY instruction is hardcoded with the old Python version. I've added a critical comment with the necessary fix.
I also noticed that several other Dockerfiles for Python services (coder, judge, retriever, safety-guardian, orchestrator) use the same vulnerable base image and will face the same build issue when updated. I recommend updating all of them in this PR to ensure consistency and security across all services.
To make future updates easier, you might consider using an ARG to define the Python version at the top of each Dockerfile and reference it in both the FROM and COPY instructions. This would prevent similar breakages in the future.
| # syntax=docker/dockerfile:1 | ||
| # Planner Arm Dockerfile - Multi-stage build for Python service | ||
| FROM python:3.13.7-slim as builder | ||
| FROM python:3.14.2-slim as builder |
There was a problem hiding this comment.
While upgrading the Python base image is a good security practice, this change as-is will cause the Docker build to fail. The COPY instruction on line 41 hardcodes the Python version in the path for site-packages:
COPY --from=builder /usr/local/lib/python3.13/site-packages /usr/local/lib/python3.13/site-packages
With the base image updated to python:3.14.2-slim, this path will be incorrect. The build will fail because the source path /usr/local/lib/python3.13/site-packages will not exist in the builder stage, which now uses Python 3.14.
To fix this, line 41 needs to be updated to use python3.14:
COPY --from=builder /usr/local/lib/python3.14/site-packages /usr/local/lib/python3.14/site-packagesThere was a problem hiding this comment.
Pull request overview
This PR attempts to upgrade the Python base Docker image from 3.13.7-slim to 3.14.2-slim to fix several low-severity OpenSSL CVEs (CVE-2025-9231, CVE-2025-9230, CVE-2025-9232). However, there is a critical issue: Python 3.14.2 does not exist as a valid release.
Key Changes
- Updated base image in builder stage from
python:3.13.7-slimtopython:3.14.2-slim - Updated base image in runtime stage from
python:3.13.7-slimtopython:3.14.2-slim
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
services/arms/planner/DockerfileWe recommend upgrading to
python:3.14.2-slim, as this image has only 23 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN13-OPENSSL-13174592
SNYK-DEBIAN13-OPENSSL-13174592
SNYK-DEBIAN13-OPENSSL-13174602
SNYK-DEBIAN13-OPENSSL-13174605
SNYK-DEBIAN13-OPENSSL-13174605
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.