All five services in docker-compose.yml still use :latest tags (prom/prometheus:latest, grafana/loki:latest, grafana/promtail:latest, grafana/grafana:latest, python:3.11-slim without a patch pin). The audit flagged this as issue #10 / #24. Pinning to specific digests or version tags (e.g., prom/prometheus:v2.52.0) prevents silent breaking changes on docker compose pull and enables Renovate/Dependabot to track upstream releases. This should be a separate PR since it requires choosing stable versions and setting up a periodic update mechanism.
Follow-up from #35
All five services in docker-compose.yml still use
:latesttags (prom/prometheus:latest, grafana/loki:latest, grafana/promtail:latest, grafana/grafana:latest, python:3.11-slim without a patch pin). The audit flagged this as issue #10 / #24. Pinning to specific digests or version tags (e.g., prom/prometheus:v2.52.0) prevents silent breaking changes ondocker compose pulland enables Renovate/Dependabot to track upstream releases. This should be a separate PR since it requires choosing stable versions and setting up a periodic update mechanism.Follow-up from #35