From 98d1256969d4cc2d0fbd5fc8b73e5d1dd699e7a5 Mon Sep 17 00:00:00 2001
From: Ryan McMillan <ryan@twinpines.io>
Date: Fri, 20 Mar 2026 22:42:46 -0500
Subject: [PATCH 1/2] fix: add apt-get upgrade to patch OS-level CVEs

Patches fixable Snyk findings (critical/high/medium) from
Debian 12 base image packages (sqlite3, gnutls, openssl,
perl, pam, gnupg).
---
 Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 352e8c4..b4146ca 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,8 @@
 FROM python:3.13.3-slim
 
+# Patch OS-level vulnerabilities in base image
+RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
+
 WORKDIR /app
 
 # Install backend deps first for better layer caching

From 76a37e83f613c1e4970b38bb5a3a92e272b6bb8d Mon Sep 17 00:00:00 2001
From: Ryan McMillan <ryan@twinpines.io>
Date: Fri, 20 Mar 2026 22:46:41 -0500
Subject: [PATCH 2/2] fix: add DEBIAN_FRONTEND=noninteractive to apt-get
 upgrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per Greptile review — prevents debconf prompts from hanging
the build in CI.
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index b4146ca..3a37fc7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM python:3.13.3-slim
 
 # Patch OS-level vulnerabilities in base image
-RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
+RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app