[Snyk] Security upgrade python from 3.14.1-slim to 3.14.3-slim

[AndrewHanasiro]

Snyk has created this PR to fix 5 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:3.14.3-slim, as this image has only 26 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	CVE-2025-69421 SNYK-DEBIAN13-OPENSSL-15123186	686
	CVE-2025-15467 SNYK-DEBIAN13-OPENSSL-15123178	436
	CVE-2025-66199 SNYK-DEBIAN13-OPENSSL-15123183	436
	CVE-2026-22796 SNYK-DEBIAN13-OPENSSL-15123187	436
	CVE-2025-68160 SNYK-DEBIAN13-OPENSSL-15123204	436

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-11c9818aef68ef08b580316ae898bfd9

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Overview

Greptile Summary

This PR upgrades the Python base Docker image from 3.14.1-slim to 3.14.3-slim, addressing 5 OpenSSL security vulnerabilities in the Debian 13 base system.

Key Changes:

• Updated base image from python:3.14.1-slim to python:3.14.3-slim
• Fixes 5 low-severity OpenSSL CVEs with scores ranging from 436-686
• No functional changes to application code or dependencies

Compatibility Assessment:

• Project requires Python >=3.14 (pyproject.toml:9) - fully compatible
• Patch version upgrade maintains backward compatibility
• No changes to Poetry configuration, dependencies, or build process

Security Impact:

• Remediates CVE-2025-69421, CVE-2025-15467, CVE-2025-66199, CVE-2026-22796, and CVE-2025-68160
• Reduces known vulnerabilities to 26 in the new base image

Confidence Score: 5/5

• This PR is safe to merge - it's a standard patch-level security upgrade with no breaking changes
• This is a straightforward security patch that upgrades Python from 3.14.1 to 3.14.3, maintaining full compatibility with the project's Python >=3.14 requirement. Patch version upgrades in Python are designed to be backward-compatible and only include bug fixes and security patches. The change addresses legitimate security vulnerabilities without modifying any application code, dependencies, or build configuration.
• No files require special attention

Important Files Changed

Filename	Overview
Dockerfile	Python base image upgraded from 3.14.1-slim to 3.14.3-slim to fix 5 OpenSSL vulnerabilities

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Docker as Docker Build
    participant Registry as Docker Registry
    participant Base as Python Base Image
    participant App as Application Container

    Dev->>Docker: Initiate build with Dockerfile
    Docker->>Registry: Pull python:3.14.3-slim
    Registry->>Base: Download base image
    Note over Base: Contains patched OpenSSL<br/>(fixes 5 CVEs)
    Base->>Docker: Image downloaded
    Docker->>Docker: Set WORKDIR /app
    Docker->>Docker: Install system deps<br/>(python3-dev, libpq-dev, gcc)
    Docker->>Docker: Install pipx and Poetry 2.2.1
    Docker->>Docker: Copy application files
    Docker->>Docker: Create virtual environment
    Docker->>Docker: Run poetry install
    Docker->>App: Built container ready
    Note over App: Secure container with<br/>updated Python 3.14.3

Loading

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00%	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (84e4d88)	1265	1167	92.25%
Head commit (55ea884)	1265 (+0)	1167 (+0)	92.25% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#29)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences