From e0b6c2082f483e458d950d3795c5f1966f23c370 Mon Sep 17 00:00:00 2001 From: Joakim Persson Date: Wed, 29 Apr 2026 10:25:36 +0200 Subject: [PATCH] Add apt-get upgrade to core packages layer Pair 'apt-get upgrade -y --no-install-recommends' with the existing update + install in the first RUN step. Picks up security/CVE fixes that land in the Debian repos between base-image rebuilds. Same layer as the install to avoid bloating history; combined with apt-get clean and rm -rf /var/lib/apt/lists/* at the end so no index cache is kept. Today this is a no-op (debian:trixie-slim is current: 0 upgraded). Future-proofs against the lag between a CVE fix being published and the next base-image rebuild. --- CHANGELOG.md | 1 + Dockerfile | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d87f37..ef7d46f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a - `curl --retry 5 --retry-delay 5 --retry-all-errors` on both the `-fsSL` GET requests and the `-sI` HEAD requests used for `/releases/latest` redirect resolution. 5 attempts with 5 s back-off eats most transient CDN hiccups without failing the build. - Added `[ -n "$V" ]` assertion after each version-resolution step. If the HEAD redirect ever fails to produce a tag name, the build fails fast with an empty-version message rather than trying to download `.../v//...` and producing a confusing 404. - Same hardening applied to the optional Go install block (go.dev JSON feed + tarball download) and the nodesource apt-repo setup script. +- **Security:** Added `apt-get upgrade -y` to the core-packages RUN step. Picks up any security/CVE fixes published between `debian:trixie-slim` base-image rebuilds. Paired with the existing `update` and `install` in the same layer so image history isn't bloated. Today this produced `0 upgraded` (base image is current), but it future-proofs against the next CVE drop. ## v1.14.29 — 2026-04-28 diff --git a/Dockerfile b/Dockerfile index c6121e9..333e32c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,12 @@ LABEL org.opencontainers.image.source="https://gitea.jordbo.se/joakimp/opencode- ENV DEBIAN_FRONTEND=noninteractive # ── Core system packages ───────────────────────────────────────────── -RUN apt-get update && apt-get install -y --no-install-recommends \ +# apt-get upgrade picks up any security/CVE fixes published between +# debian:trixie-slim base-image rebuilds. Paired with the index update +# and the install in the same layer so we don't bloat image history. +RUN apt-get update && \ + apt-get upgrade -y --no-install-recommends && \ + apt-get install -y --no-install-recommends \ ca-certificates \ curl \ wget \ @@ -45,6 +50,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3-pip \ python3-venv \ && ln -s /usr/bin/fdfind /usr/local/bin/fd \ + && apt-get clean \ && rm -rf /var/lib/apt/lists/* # ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)