Debian Trixie and more vulnerabilities fixed (#16)

* Fix tests
* Restore whitespace back
* Switch to Debian trixie
* Fix setuptools and upgrade simba ODBC
* Upgrade werkzeug to 3.x
* Medium risk vuln python library updates
* Fix default port (mirror upstream repo)

Author: wtfiwtz

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-bookworm AS frontend-builder
+FROM node:20-trixie AS frontend-builder
 
 RUN npm install --global --force [email protected]
 
@@ -19,7 +19,6 @@ COPY --chown=redash scripts /frontend/scripts
 # Controls whether to instrument code for coverage information
 ARG code_coverage
 ENV BABEL_ENV=${code_coverage:+test}
-ENV GITHUB_PAT=${GITHUB_PAT}
 
 # Avoid issues caused by lags in disk and network I/O speeds when working on top of QEMU emulation for multi-platform image building.
 RUN yarn config set network-timeout 300000
@@ -38,12 +37,15 @@ RUN <<EOF
   fi
 EOF
 
-FROM python:3.11-slim-bookworm
+FROM python:3.11-slim-trixie
 
 EXPOSE 5000
 
 RUN useradd --create-home redash
 
+# Add Debian trixie-proposed-updates repository
+RUN echo "deb http://deb.debian.org/debian trixie-proposed-updates main" > /etc/apt/sources.list.d/trixie-proposed-updates.list
+
 # Ubuntu packages
 RUN apt-get update && \
   apt-get install -y --no-install-recommends \
@@ -75,11 +77,11 @@ RUN apt-get update && \
 
 
 ARG TARGETPLATFORM
-ARG databricks_odbc_driver_url=https://databricks-bi-artifacts.s3.us-east-2.amazonaws.com/simbaspark-drivers/odbc/2.6.26/SimbaSparkODBC-2.6.26.1045-Debian-64bit.zip
+ARG databricks_odbc_driver_url=https://databricks-bi-artifacts.s3.us-east-2.amazonaws.com/simbaspark-drivers/odbc/2.9.2/SimbaSparkODBC-2.9.2.1008-Debian-64bit.zip
 RUN <<EOF
   if [ "$TARGETPLATFORM" = "linux/amd64" ]; then
     curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg
-    curl https://packages.microsoft.com/config/debian/12/prod.list > /etc/apt/sources.list.d/mssql-release.list
+    curl https://packages.microsoft.com/config/debian/13/prod.list > /etc/apt/sources.list.d/mssql-release.list
     apt-get update
     ACCEPT_EULA=Y apt-get install  -y --no-install-recommends msodbcsql18
     apt-get clean
@@ -110,7 +112,9 @@ ARG POETRY_OPTIONS="--no-root --no-ansi --no-interaction"
 # disabled by default due to GPL license conflict
 ARG install_groups="main,all_ds,dev"
 RUN --mount=type=cache,target=/root/.cache/pypoetry \
-    /etc/poetry/bin/poetry install --only $install_groups $POETRY_OPTIONS
+    /etc/poetry/bin/poetry install --only $install_groups $POETRY_OPTIONS && \
+    /etc/poetry/bin/poetry add "setuptools@latest"
+RUN rm -rf /etc/poetry/venv/lib/python3.11/site-packages/setuptools-65.5.0.dist-info/
 
 COPY --chown=redash . /app
 COPY --from=frontend-builder --chown=redash /frontend/client/dist /app/client/dist

compose.yaml

@@ -12,7 +12,7 @@ x-redash-service: &redash-service
   env_file:
     - .env
 x-redash-environment: &redash-environment
-  REDASH_HOST: http://localhost:5000
+  REDASH_HOST: http://localhost:5001
   REDASH_LOG_LEVEL: "INFO"
   REDASH_REDIS_URL: "redis://redis:6379/0"
   REDASH_DATABASE_URL: "postgresql://postgres@postgres/postgres"
@@ -31,7 +31,7 @@ services:
       - postgres
       - redis
     ports:
-      - "5000:5000"
+      - "5001:5000"
       - "5678:5678"
     environment:
       <<: *redash-environment