Skip to content

fix: upgrade Docker base to python:3.13-slim (29 Snyk findings)#7

Merged
ryanmcmillan merged 2 commits intomainfrom
fix/docker-python-313
Mar 21, 2026
Merged

fix: upgrade Docker base to python:3.13-slim (29 Snyk findings)#7
ryanmcmillan merged 2 commits intomainfrom
fix/docker-python-313

Conversation

@ryanmcmillan
Copy link
Member

@ryanmcmillan ryanmcmillan commented Mar 21, 2026

Summary

Upgrades the Docker base image from python:3.11-slim to python:3.13-slim to resolve 29 OS-level Snyk findings (3 medium, 26 low) from the Debian base.

Testing

  • Fresh venv with Python 3.14 (stricter than 3.13)
  • All pip install deps compile cleanly (including scikit-learn/numpy C extensions)
  • All backend imports pass, 43 FastAPI routes load
  • No code changes required, only the base image tag

What this fixes

The 29 findings are all from Debian packages in the python:3.11-slim image (systemd, apt, openssl, etc). Bumping to 3.13-slim gets a newer Debian with patched OS packages.

@ryanmcmillan
fix: upgrade Docker base image to python:3.13-slim
f8716df 
Resolves 29 Snyk findings (3 medium, 26 low) from OS-level
CVEs in the python:3.11-slim Debian base image.

Tested: all backend imports and 43 FastAPI routes load
successfully on Python 3.14 (superset of 3.13 compat).
@greptile-apps
Copy link

greptile-apps bot commented Mar 21, 2026

Greptile Summary

This PR makes a single-line change, bumping the Docker base image from python:3.11-slim to python:3.13-slim to resolve 29 OS-level Snyk findings (3 medium, 26 low) in Debian packages bundled with the older image.

Key changes:

  • Dockerfile: Base image tag updated from python:3.11-slimpython:3.13-slim

Notes:

  • The change is minimal, targeted, and well-reasoned — the Snyk findings are Debian-level (systemd, apt, openssl) rather than Python package issues, so a base image bump is the correct fix.
  • The requirements.txt dependencies (FastAPI, SQLAlchemy, Pydantic v2, scikit-learn, numpy, etc.) all have lower-bound version pins that are compatible with Python 3.13.
  • The PR description states testing was done with Python 3.14 rather than 3.13. While 3.14 is a newer interpreter, the two are not equivalent runtimes — behavior differences between minor Python versions can exist (e.g., deprecated stdlib removals, import system changes). Ideally, integration tests should be run inside a container built from the exact new image (python:3.13-slim) to validate the exact production environment.
  • The python:3.13-slim tag is mutable; pinning to a patch-level tag or image digest would prevent silent base image drift in future builds.

Confidence Score: 4/5

  • Safe to merge — single-line security fix with compatible dependencies; minor concern around floating tag and testing environment mismatch.
  • The change is a one-line base image bump with no code modifications, directly addressing documented CVEs. All declared Python dependencies are compatible with Python 3.13. The only deductions are for the floating mutable tag (which can allow silent drift) and the testing discrepancy noted in the PR description (tested on 3.14 rather than 3.13), neither of which represents a likely production breakage.
  • No files require special attention; Dockerfile is the only changed file.

Important Files Changed

Filename Overview
Dockerfile Single-line base image bump from python:3.11-slim to python:3.13-slim to resolve 29 Snyk OS-level CVEs. Change is correct and minimal; the only concern is the floating tag which could allow silent image drift between builds.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Registry as Docker Hub
    participant Build as docker build
    participant Container as Running Container

    Dev->>Build: docker build .
    Build->>Registry: Pull python:3.13-slim (was 3.11-slim)
    Registry-->>Build: Debian base + Python 3.13 runtime
    Build->>Build: COPY backend/requirements.txt
    Build->>Build: pip install -r requirements.txt
    Build->>Build: COPY backend/ source
    Build-->>Dev: Image ready

    Dev->>Container: docker run
    Container->>Container: Run migrations (001→005)
    Container->>Container: python backend/main.py (uvicorn)
    Container-->>Dev: 43 FastAPI routes live on :18890
Loading

Last reviewed commit: "fix: upgrade Docker ..."

greptile-apps[bot]
greptile-apps bot reviewed Mar 21, 2026
View reviewed changes
Dockerfile Outdated
@@ -1,4 +1,4 @@
FROM python:3.11-slim
FROM python:3.13-slim
Copy link

@greptile-apps greptile-apps bot Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Floating image tag reduces build reproducibility

python:3.13-slim is a mutable tag — Docker will re-pull whatever 3.13-slim resolves to at build time, which can silently change across builds as patch releases are published (e.g. 3.13.13.13.2). For a more reproducible, security-auditable image, consider either pinning to the minor patch version or to a digest:

Suggested change
FROM python:3.13-slim
FROM python:3.13.3-slim

or, for strongest guarantees:

FROM python:3.13-slim@sha256:<current-digest>

This is already the approach needed to prevent the same class of "base image drifted" Snyk findings from reappearing in the future.

@ryanmcmillan
fix: pin Docker base to python:3.13.3-slim
83a48d9 
Per Greptile review — pin to exact patch version for
reproducible builds and audit trail.
@ryanmcmillan ryanmcmillan merged commit ff66542 into main Mar 21, 2026
5 checks passed
@ryanmcmillan ryanmcmillan deleted the fix/docker-python-313 branch March 21, 2026 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryanmcmillan