discourse · SamSaffron · Jun 11, 2026 · Jun 11, 2026 · fitzy101 · Jun 11, 2026
diff --git a/image/base/Dockerfile b/image/base/Dockerfile
@@ -147,7 +147,12 @@ COPY --from=cjpegli-builder /usr/local/bin/cjpegli /usr/local/bin
 
 ADD install-redis /tmp/install-redis
 
-RUN gem install pups --force &&\
+# version check: https://rubygems.org/gems/pups
+RUN cd /tmp &&\
+    gem fetch pups --version 1.4.0 &&\
+    echo "5809731d6f4819defe1aac694e614c4b3d9958b5f378a70edf761f3808877052 pups-1.4.0.gem" | sha256sum -c &&\
+    gem install --local --force pups-1.4.0.gem &&\
+    rm pups-1.4.0.gem &&\
     mkdir -p /pups/bin/ &&\
     ln -s /usr/local/bin/pups /pups/bin/pups
 
@@ -159,14 +164,20 @@ COPY etc/  /etc
 COPY sbin/ /sbin
 
 FROM discourse-runtime-base AS discourse-build-base
+# From https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
+# fingerprint: 6F71 F525 2828 41EE DAF8 51B4 2F59 B5F9 9B1B E0B4
+ADD nodesource-repo.gpg.key /usr/share/keyrings/nodesource.asc
+# From https://dl.yarnpkg.com/debian/pubkey.gpg
+# fingerprint: 72EC F46A 56B4 AD39 C907 BBB7 1646 B01B 86E5 0310
+ADD yarn-pubkey.gpg.key /usr/share/keyrings/yarn.asc
 RUN --mount=type=tmpfs,target=/var/log \
   --mount=type=tmpfs,target=/var/cache/apt \
   --mount=type=tmpfs,target=/var/lib/apt \
 # yarn packages
-    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -; \
-    echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list; \
+    echo "deb [signed-by=/usr/share/keyrings/yarn.asc] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list; \
 # node packages
-    curl --silent --location https://deb.nodesource.com/setup_22.x | sudo bash -; \
+    printf 'Types: deb\nURIs: https://deb.nodesource.com/node_22.x\nSuites: nodistro\nComponents: main\nSigned-By: /usr/share/keyrings/nodesource.asc\n' > /etc/apt/sources.list.d/nodesource.sources; \
+    printf 'Package: nodejs\nPin: origin deb.nodesource.com\nPin-Priority: 600\n' > /etc/apt/preferences.d/nodejs; \
     echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \
     apt-get -y update && DEBIAN_FRONTEND=noninteractive apt-get -y install \
 # gem build dependencies

diff --git a/image/base/install-imagemagick b/image/base/install-imagemagick
@@ -2,8 +2,8 @@
 set -e
 
 # version check: https://github.com/ImageMagick/ImageMagick/releases
-IMAGE_MAGICK_VERSION="7.1.2-3"
-IMAGE_MAGICK_HASH="b16415e8694a2e15e5282d64fc7b358f309ff3a514a90eb5da268676c772de3d"
+IMAGE_MAGICK_VERSION="7.1.2-25"
+IMAGE_MAGICK_HASH="ff33d227d2e1744327280e956ec9f7abaebbd8f48277d16cdad906e05e4794b6"
 
 LIBJPEGTURBO=$(cat /etc/issue | grep -qi Debian && echo 'libjpeg62-turbo libjpeg62-turbo-dev' || echo 'libjpeg-turbo8 libjpeg-turbo8-dev')
 

diff --git a/image/base/install-jemalloc b/image/base/install-jemalloc
@@ -12,10 +12,10 @@ if uname -m | grep -qi 'aarch64'; then
   mkdir /jemalloc-new
   cd /jemalloc-new
 
-  wget -q https://github.com/jemalloc/jemalloc/releases/download/5.3.0/jemalloc-5.3.0.tar.bz2
-  sha256sum jemalloc-5.3.0.tar.bz2
-  echo "2db82d1e7119df3e71b7640219b6dfe84789bc0537983c3b7ac4f7189aecfeaa jemalloc-5.3.0.tar.bz2" | sha256sum -c
-  tar --strip-components=1 -xjf jemalloc-5.3.0.tar.bz2
+  wget -q https://github.com/jemalloc/jemalloc/releases/download/5.3.1/jemalloc-5.3.1.tar.bz2
+  sha256sum jemalloc-5.3.1.tar.bz2
+  echo "3826bc80232f22ed5c4662f3034f799ca316e819103bdc7bb99018a421706f92 jemalloc-5.3.1.tar.bz2" | sha256sum -c
+  tar --strip-components=1 -xjf jemalloc-5.3.1.tar.bz2
   ./configure --prefix=/usr --with-lg-page=16 && make build_lib -j"$(nproc)" && make install_lib_shared
   cd / && rm -rf /jemalloc-new
 else
@@ -29,15 +29,4 @@ else
   tar --strip-components=1 -xjf jemalloc-3.6.0.tar.bz2
   ./configure --prefix=/usr $EXTRA_CONF && make -j"$(nproc)" && make install_lib_shared
   cd / && rm -rf /jemalloc-stable
-
-  # jemalloc new
-  mkdir /jemalloc-new
-  cd /jemalloc-new
-
-  wget -q https://github.com/jemalloc/jemalloc/releases/download/5.3.0/jemalloc-5.3.0.tar.bz2
-  sha256sum jemalloc-5.3.0.tar.bz2
-  echo "2db82d1e7119df3e71b7640219b6dfe84789bc0537983c3b7ac4f7189aecfeaa jemalloc-5.3.0.tar.bz2" | sha256sum -c
-  tar --strip-components=1 -xjf jemalloc-5.3.0.tar.bz2
-  ./configure --prefix=/usr --with-install-suffix=5.3.0 && make build_lib -j"$(nproc)" && make install_lib_shared
-  cd / && rm -rf /jemalloc-new
 fi
diff --git a/image/base/install-nginx b/image/base/install-nginx
@@ -16,7 +16,11 @@ apt install -y nginx-common
 
 cd /tmp
 # this is the reason we are compiling by hand...
-git clone https://github.com/google/ngx_brotli.git
+# master commit, pinned; it also pins the brotli submodule (v1.1.0)
+NGX_BROTLI_COMMIT="a71f9312c2deb28875acc7bacfdd5695a111aa53"
+git init -q /tmp/ngx_brotli
+git -C /tmp/ngx_brotli fetch -q --depth 1 https://github.com/google/ngx_brotli.git "$NGX_BROTLI_COMMIT"
+git -C /tmp/ngx_brotli checkout -q "$NGX_BROTLI_COMMIT"
 # now ngx_brotli has brotli as a submodule
 cd /tmp/ngx_brotli
 git submodule update --init

diff --git a/image/base/install-oxipng b/image/base/install-oxipng
@@ -1,27 +1,31 @@
 #!/bin/bash
 set -e
 
-# version check: https://github.com/shssoichiro/oxipng/releases
-OXIPNG_VERSION="9.1.2"
+# version check: https://github.com/oxipng/oxipng/releases
+OXIPNG_VERSION="10.1.1"
 dpkgArch="$(dpkg --print-architecture)"
 
 case "${dpkgArch##*-}" in
-    amd64) OXIPNG_FILE="oxipng-${OXIPNG_VERSION}-x86_64-unknown-linux-musl.tar.gz"; OXIPNG_HASH='211d53f3781be4a71566fbaad6611a3da018ac9b22d500651b091c2b42ebe318' ;;
-    arm64) OXIPNG_FILE="oxipng-${OXIPNG_VERSION}-aarch64-unknown-linux-musl.tar.gz"; OXIPNG_HASH='818d47d7195e1e0c4d58a9f3b6fd84aa3cd21770c60c876e73e2e6a17ca69b52' ;;
+    amd64) OXIPNG_FILE="oxipng-${OXIPNG_VERSION}-x86_64-unknown-linux-musl.tar.gz"; OXIPNG_HASH='a7e13e06040dea5fe1298668ac99afbe0ed781610a9e4b27d62a8850b3fdf273' ;;
+    arm64) OXIPNG_FILE="oxipng-${OXIPNG_VERSION}-aarch64-unknown-linux-musl.tar.gz"; OXIPNG_HASH='d8b599202378b038fc7571ba6ffd5f65592529a694f0315a7d436863c56029ed' ;;
     *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;;
 esac
 
 # Install other deps
 apt -y -q install advancecomp jpegoptim libjpeg-turbo-progs
 
-git clone --depth 1 --branch "3.08" https://github.com/Matthias-Wandel/jhead.git /tmp/jhead
+# jhead tag 3.08, fetched by commit since tags are mutable
+JHEAD_COMMIT="4d04ac965632e35a65709c7f92a857a749e71811"
+git init -q /tmp/jhead
+git -C /tmp/jhead fetch -q --depth 1 https://github.com/Matthias-Wandel/jhead.git "$JHEAD_COMMIT"
+git -C /tmp/jhead checkout -q "$JHEAD_COMMIT"
 cd /tmp/jhead && make && cp /tmp/jhead/jhead /usr/local/bin/jhead
 cd / && rm -rf /tmp/jhead
 
 mkdir /oxipng-install
 cd /oxipng-install
 
-wget -q https://github.com/shssoichiro/oxipng/releases/download/v${OXIPNG_VERSION}/${OXIPNG_FILE}
+wget -q https://github.com/oxipng/oxipng/releases/download/v${OXIPNG_VERSION}/${OXIPNG_FILE}
 sha256sum ${OXIPNG_FILE}
 echo "${OXIPNG_HASH} ${OXIPNG_FILE}" | sha256sum -c
 tar --strip-components=1 -xzf $OXIPNG_FILE

diff --git a/image/base/install-redis b/image/base/install-redis
@@ -2,12 +2,12 @@
 set -e
 
 # version check: https://redis.io/
-REDIS_VERSION=7.4.7
-REDIS_HASH="c97e57b0df330a9e091cacff012bebe763c275398cf36ff44cdba876814b595b"
+REDIS_VERSION=7.4.9
+REDIS_HASH="a71a67b47b2705d3448f0400573e3ad5c4c9f8c18236f426dc6acc7284bf42ad"
 
 cd /tmp
 # Prepare Redis source.
-wget -q http://download.redis.io/releases/redis-$REDIS_VERSION.tar.gz
+wget -q https://download.redis.io/releases/redis-$REDIS_VERSION.tar.gz
 sha256sum redis-$REDIS_VERSION.tar.gz
 echo "$REDIS_HASH redis-$REDIS_VERSION.tar.gz" | sha256sum -c
 

diff --git a/image/base/nodesource-repo.gpg.key b/image/base/nodesource-repo.gpg.key
@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFdDN1ABCADaNd/I3j3tn40deQNgz7hB2NvT+syXe6k4ZmdiEcOfBvFrkS8B
+hNS67t93etHsxEy7E0qwsZH32bKazMqe9zDwoa3aVImryjh6SHC9lMtW27JPHFeM
+Srkt9YmH1WMwWcRO6eSY9B3PpazquhnvbammLuUojXRIxkDroy6Fw4UKmUNSRr32
+9Ej87jRoR1B2/57Kfp2Y4+vFGGzSvh3AFQpBHq51qsNHALU6+8PjLfIt+5TPvaWR
+TB+kAZnQZkaIQM2nr1n3oj6ak2RATY/+kjLizgFWzgEfbCrbsyq68UoY5FPBnu4Z
+E3iDZpaIqwKr0seUC7iA1xM5eHi5kty1oB7HABEBAAG0Ik5Tb2xpZCA8bnNvbGlk
+LWdwZ0Bub2Rlc291cmNlLmNvbT6JAU4EEwEKADgCGwMCHgECF4AWIQRvcfUlKChB
+7tr4UbQvWbX5mxvgtAUCaWfGnwULCQgHAgYVCgkICwIEFgIDAQAKCRAvWbX5mxvg
+tL0CB/0TTur63uXTPbq+JBQET6jnEVaDrNmpHI/z2RMuj163gmy9CtCwG060c+TI
+qzmzlPacbTkGc5C50teX2mhs+5JIthfhMibR6Dgy0zeSVuvt9WJ3TNWBpoW5Ezka
+17SA3Xv9UEJS2eyRd7ALf7TGGAj8DG+xRABXl6bJIXh1s7Hki7kwgVrpNxm/EqyX
+OrzExm0g2UjgdkbnZrnTyZMB6X8f8fZPo0QcByPvLee2DtkKeE+SZlFXyvnCzcw0
+94K45vlWkEdRzmiiWAG7guzZyZYGcCO5EoJ3LUP90qhrmQUfsbtczeoEW17EW1jM
+RohLo8BqVyYc1CAFlULIDNeS3aipuQENBFdDN1ABCACq02gutmss6jiD2u50vdAR
+x3JOGd92trWRf7qH9/MTToslhoU/LiXhaE0x5+UkKuRbcruCtytn226brvwD0BdO
+QGpY81ZAxjTFuKUpIDmrHcrI/N9XLrLKx19kWEttsIPNJOgvx8JoeReOX2hLjcbF
+fmz8e6D1K7eZ+hjMfOLxD94tfhQwYtKbfwf0JwxQV5ItQRryd+X+TcA3nyvFWiJ8
+Vz92Tf1iG7Z+XasaaZFf2JDuxoiZaSZY7va395ClCEMykFsRbGwgDyB6Fr+6x/UU
+sYA4rYV7RumIOUdWngWyWjzVy/cKSWASW4jI5ABWs+AfeRTqmZt6+6B7oIghrB19
+ABEBAAGJAR8EGAECAAkFAldDN1ACGwwACgkQL1m1+Zsb4LRPzgf9FTfPA0d2N37q
+su5av3bYZJ+w6pvWF3aK2Zdy9ednhCBfPNmhvBRN6mXWixo0DuKEoQMjVpkX0hrq
+B9FxEVwCPZ9K/JuJgzMROq7T+7R3rcv+TPMdwk8rjIMeRiw2hFLwbrJ0w/v7/3wT
+MESv3GfXbuT0huEedK7bLfqGMgtmqMeCNkoI7Rf3GO2xArGQ6Zc2rTd4L9+D5HHS
+IPEixwFZS+Debc7pg3os0bKXEsqMtitvocClOAuPnXpCy04PK450UTr6ZVdirWhJ
+Oq8SrSERQwqEJ4PMHybiDKwzSr6mcBURre3G71uTAp7h/DISLTpfVMadcB6eoLWr
+/4fBqejAWg==
+=wh5k
+-----END PGP PUBLIC KEY BLOCK-----