Skip to content

Add apk upgrade to final stage to address security vulnerabilities #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add apk upgrade to final stage to address security vulnerabilities #54

Copilot wants to merge 2 commits into from
+1 −0

Conversation

Copy link

Copilot AI commented Dec 5, 2025
edited
Loading

Docker image scan identified HIGH/CRITICAL vulnerabilities in Alpine packages (imagemagick, libpng, libxml2, postgresql). The final stage was missing apk upgrade, so security patches weren't being applied.

Changes

  • Added apk upgrade after apk update in the final stage to pull latest package versions with security fixes
RUN \
  apk update \
  && apk upgrade \  # Added - was missing
  && apk add --no-cache --virtual .deps \

Note

Go dependency vulnerabilities (containerd, golang.org/x/crypto, etc.) are transitive via docker-cli and will resolve when Alpine updates that package.

Original prompt

This section details on the original issue you should resolve

<issue_title>Address docker image scan results</issue_title>
<issue_description>A scan of our docker image surfaced the following vulnerabilities:

Package Version Vulnerability Severity
imagemagick 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-c++ 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-dev 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-heic 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-jpeg 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-jxl 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-libs 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-openexr 7.1.2.3-r0 CVE-2025-62171 HIGH
imagemagick-webp 7.1.2.3-r0 CVE-2025-62171 HIGH
libecpg 17.6-r0 CVE-2025-12818 HIGH
libecpg-dev 17.6-r0 CVE-2025-12818 HIGH
libpng 1.6.47-r0 CVE-2025-64720 HIGH
libpng 1.6.47-r0 CVE-2025-65018 HIGH
libpng-dev 1.6.47-r0 CVE-2025-64720 HIGH
libpng-dev 1.6.47-r0 CVE-2025-65018 HIGH
libpq 17.6-r0 CVE-2025-12818 HIGH
libpq-dev 17.6-r0 CVE-2025-12818 HIGH
libxml2 2.13.8-r0 CVE-2025-49794 CRITICAL
libxml2 2.13.8-r0 CVE-2025-49796 CRITICAL
libxml2 2.13.8-r0 CVE-2025-49795 HIGH
libxml2 2.13.8-r0 CVE-2025-6021 HIGH
postgresql17-dev 17.6-r0 CVE-2025-12818 HIGH
github.com/containerd/containerd/v2 v2.0.2 CVE-2024-25621 HIGH
golang.org/x/crypto v0.31.0 CVE-2025-22869 HIGH
golang.org/x/oauth2 v0.24.0 CVE-2025-22868 HIGH
stdlib 1.22.10 CVE-2025-47907 HIGH
stdlib 1.22.10 CVE-2025-58183 HIGH
stdlib 1.22.10 CVE-2025-58186 HIGH
stdlib 1.22.10 CVE-2025-58187 HIGH
stdlib 1.22.10 CVE-2025-61729 HIGH

We should update packages to address the vulnerabilities.

Originally posted by @github-actions[bot] in appwrite/appwrite#10903 (comment)
</issue_description>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@coderabbitai
Copy link

coderabbitai bot commented Dec 5, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@stnguyen90
Add apk upgrade to final stage to address security vulnerabilities
bd3fca5 
This change adds `apk upgrade` in the final stage of the Dockerfile,
ensuring that all Alpine packages are upgraded to their latest versions
with security patches.

This addresses the vulnerabilities reported in the docker image scan:
- CVE-2025-62171 (imagemagick packages)
- CVE-2025-64720, CVE-2025-65018 (libpng)
- CVE-2025-49794, CVE-2025-49796, CVE-2025-49795, CVE-2025-6021 (libxml2)
- CVE-2025-12818 (postgresql packages)

Co-authored-by: stnguyen90 <1477010+stnguyen90@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix vulnerabilities in docker image scan results Add apk upgrade to final stage to address security vulnerabilities Dec 5, 2025
Copilot AI requested a review from stnguyen90 December 5, 2025 00:38
Copilot finished work on behalf of stnguyen90 December 5, 2025 00:38
@stnguyen90 stnguyen90 mentioned this pull request Dec 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stnguyen90 stnguyen90 Awaiting requested review from stnguyen90

Assignees

@stnguyen90 stnguyen90

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Address docker image scan results

2 participants

@stnguyen90