fix: upgrade Docker base to python:3.14.3-slim (73 → ~27 Snyk findings)

[ryanmcmillan]

Summary

Upgrades Docker base from python:3.13.3-slim to python:3.14.3-slim per Snyk's own recommendation.

Impact

• Before: 73 findings (2 critical, 6 high, 7 medium, 58 low)
• After: ~27 findings (0 critical, 0 high, 1 medium, 26 low)
• Eliminates all criticals and highs from the container scan

Testing

• All pip deps install cleanly on Python 3.14 (tested in fresh venv this session)
• All 43 FastAPI routes load successfully
• scikit-learn, numpy, cryptography C extensions all compile
• CI matrix still tests 3.10/3.11/3.12 for backwards compat
• apt-get upgrade layer retained for additional OS patching

[greptile-apps]

Greptile Summary

This PR upgrades the Docker base image from python:3.13.3-slim to python:3.14.3-slim, which is a legitimate stable release (third maintenance release, published 2026-02-03). The primary motivation is a significant reduction in Snyk vulnerability findings (73 → ~27, eliminating all criticals and highs). The change is minimal and low-risk from a code perspective.

Key observations:

• python:3.14.3-slim is a genuine, stable image and the upgrade is well-motivated from a security standpoint.
• The backend CI job tests only Python 3.10/3.11/3.12; the production container now runs 3.14. While the docker CI job does build the image and smoke-tests the /health endpoint, no lint, type-check, or unit tests run against Python 3.14 in CI. Adding '3.14' to the matrix would improve coverage.
• Python 3.14 introduces deferred annotation evaluation (PEP 649/749) which can affect libraries relying on annotation introspection at class-definition time (e.g., Pydantic, SQLAlchemy, FastAPI). These libraries have been updated to handle 3.14, but running CI analysis on 3.14 explicitly would surface any regressions.
• The base image is pinned to a specific version tag (3.14.3-slim) but not to a content digest; pinning by digest would give stronger supply-chain guarantees for a security-motivated change.

Confidence Score: 4/5

• Safe to merge — single-line image bump to a stable, tested release with significant security improvement.
• The change is a one-line Dockerfile edit to a verified stable Python release. The Docker CI job builds and health-checks the container, confirming dependencies install and the app starts on 3.14. The two suggestions (CI matrix gap and digest pinning) are best-practice improvements, not blockers.
• No files require special attention, though .github/workflows/ci.yml is worth updating to add '3.14' to the test matrix.

Important Files Changed

Filename	Overview
Dockerfile	Single-line bump of Python base image from 3.13.3-slim to 3.14.3-slim; valid stable release with significant Snyk finding reduction. Image is tag-pinned but not digest-pinned.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[git push / PR] --> B[CI: backend job]
    A --> C[CI: docker job]
    B --> B1["matrix: 3.10 / 3.11 / 3.12\n(lint + type-check)"]
    B1 --> B2["❌ Python 3.14 NOT tested\nin unit/lint pipeline"]
    C --> C1["docker build\npython:3.14.3-slim"]
    C1 --> C2["docker run + health-check\n/health endpoint"]
    C2 --> C3["✅ Container starts on 3.14"]
    B2 -.->|gap| C3

Loading

Comments Outside Diff (1)

1. .github/workflows/ci.yml, line 14 (link)

   CI matrix doesn't cover the production Python version

   The Docker image now ships Python 3.14, but the backend test job only runs lint and type-checks on 3.10, 3.11, and 3.12. This means Python 3.14-specific breakage (e.g., the deferred annotation evaluation semantics introduced by PEP 649/749, removed/changed stdlib items, or C-extension ABI changes) won't be caught by the backend job. The docker job does build and do a health-check smoke test, but it doesn't run unit tests or static analysis on 3.14.

   Adding '3.14' to the matrix would close this gap:

_{Last reviewed commit: "fix: upgrade Docker ..."}

[greptile-apps]

Consider pinning base image by digest for supply-chain reproducibility

Pinning to a mutable tag (3.14.3-slim) means that if Docker Hub silently replaces the image (e.g., for an OS-level patch), subsequent builds pull a different layer without any visible change to this file. For a security-focused PR this is worth noting. Using the image digest (e.g., python:3.14.3-slim@sha256:<digest>) gives a stronger guarantee that every build uses the exact same bits.

Suggested change

	FROM python:3.14.3-slim
	FROM python:3.14.3-slim@sha256:<digest-from-docker-hub>

You can obtain the digest via:

docker pull python:3.14.3-slim
docker inspect --format='{{index .RepoDigests 0}}' python:3.14.3-slim