update new relic

[jzbahrai]

Summary | Résumé

1. Update newrelic
2. Update the dockerfile with errors due to yarn

Related Issues | Cartes liées

• https://app.zenhub.com/workspaces/notify-planning-614b3ad91bc2030015ed22f5/issues/gh/cds-snc/notification-planning/1
• https://app.zenhub.com/workspaces/notify-planning-core-6411dfb7c95fb80014e0cab0/issues/gh/cds-snc/notification-planning-core/1

Test instructions | Instructions pour tester la modification

TODO: Fill in test instructions for the reviewer.

Release Instructions | Instructions pour le déploiement

None.

Reviewer checklist | Liste de vérification du réviseur

• This PR does not break existing functionality.
• This PR does not violate GCNotify's privacy policies.
• This PR does not raise new security concerns. Refer to our GC Notify Risk Register document on our Google drive.
• This PR does not significantly alter performance.
• Additional required documentation resulting of these changes is covered (such as the README, setup instructions, a related ADR or the technical documentation).

⚠ If boxes cannot be checked off before merging the PR, they should be moved to the "Release Instructions" section with appropriate steps required to verify before release. For example, changes to celery code may require tests on staging to verify that performance has not been affected.

[Copilot]

Pull request overview

Updates New Relic and adjusts the devcontainer Dockerfile to fix Yarn APT repository key/repo setup issues on Debian Bookworm.

Changes:

• Bump newrelic Python dependency from 11.0.0 to 11.0.1
• Add Yarn APT repository keyring + source list setup steps in the devcontainer Dockerfile

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
pyproject.toml	Updates the pinned New Relic version
.devcontainer/Dockerfile	Adds Yarn repo keyring/source configuration for Bookworm

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

apt-get clean does not accept -y and may fail the Docker build with an 'option not understood' error. Drop the -y flag (or remove apt-get clean entirely if rm -rf /var/lib/apt/lists/* is already used).

[Copilot]

The build currently trusts whatever key is returned by the URL at build time. To reduce supply-chain risk, verify the downloaded key before installing it (e.g., check the expected fingerprint in the Dockerfile and fail if it doesn’t match).

Suggested change

	curl -fsSL "https://dl.yarnpkg.com/debian/pubkey.gpg" | gpg --dearmor --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg && \
	set -e; \
	YARN_EXPECTED_FPR="72ECF46A56B4AD39C907BBB71646B01B86E50310"; \
	curl -fsSL "https://dl.yarnpkg.com/debian/pubkey.gpg" -o /tmp/yarn-pubkey.gpg; \
	YARN_ACTUAL_FPR="$(gpg --dry-run --import --import-options show-only --with-colons /tmp/yarn-pubkey.gpg | awk -F: '/^fpr:/ {print $10; exit}')"; \
	if [ "$YARN_ACTUAL_FPR" != "$YARN_EXPECTED_FPR" ]; then \
	echo "ERROR: Yarn GPG key fingerprint mismatch: expected $YARN_EXPECTED_FPR but got $YARN_ACTUAL_FPR" >&2; \
	exit 1; \
	fi; \
	gpg --dearmor --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg /tmp/yarn-pubkey.gpg && \
	rm -f /tmp/yarn-pubkey.gpg && \

[Copilot]

There are two apt-get update calls in the same layer. If no packages are installed from the Yarn repo in this step, the second update is unnecessary overhead; consider removing it and only running apt-get update immediately before any later apt-get install that depends on the Yarn repo.

Suggested change

	apt-get update && apt-get clean -y && rm -rf /var/lib/apt/lists/*
	apt-get clean -y && rm -rf /var/lib/apt/lists/*