From 005f3d7159d111fab86dfba13f729003f8e0e182 Mon Sep 17 00:00:00 2001
From: Brendan Kellam <brendan@sourcebot.dev>
Date: Tue, 14 Apr 2026 16:40:43 -0700
Subject: [PATCH] fix: upgrade Alpine packages to resolve CVEs in musl-utils
 and zlib

Adds `apk upgrade --no-cache` to the runner stage to pull in patched
versions of musl-utils (>=1.2.5-r23) and zlib (>=1.3.2-r0), fixing:
- CVE-2026-40200 (HIGH) - musl arbitrary code execution
- CVE-2026-6042 (MEDIUM) - musl denial of service
- CVE-2026-22184 (HIGH) - zlib buffer overflow
- CVE-2026-27171 (MEDIUM) - zlib denial of service

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index aaa319c8f..0e68b3889 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -180,7 +180,8 @@ ENV SOURCEBOT_LOG_LEVEL=info
 # ENV SOURCEBOT_TELEMETRY_DISABLED=1
 
 # Configure dependencies
-RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip
+RUN apk add --no-cache git ca-certificates bind-tools tini jansson wget supervisor uuidgen curl perl jq redis postgresql16 postgresql16-contrib openssl util-linux unzip && \
+    apk upgrade --no-cache
 
 ARG UID=1500
 ARG GID=1500