From eb959bdc2f00b71326969325bb484a96a797b931 Mon Sep 17 00:00:00 2001
From: "depthfirst-app[bot]"
 <1021002+depthfirst-app[bot]@users.noreply.github.com>
Date: Thu, 29 Jan 2026 17:22:12 +0000
Subject: [PATCH] fix(security): pin Alpine base image to version 3.23

Replace mutable alpine:3 tag with pinned alpine:3.23 to ensure
reproducible builds and prevent potential supply chain attacks from
compromised upstream images.
---
 Dockerfile | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3900a025fa..9c178cc161 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,8 +17,9 @@ COPY . /go/src/github.com/supabase/auth
 # Make sure you change the RELEASE_VERSION value before publishing an image.
 RUN RELEASE_VERSION=unspecified make build
 
-# Always use alpine:3 so the latest version is used. This will keep CA certs more up to date.
-FROM alpine:3
+# Pin to a specific minor version for reproducibility and security.
+# Update this version periodically to get security patches and updated CA certs.
+FROM alpine:3.23
 RUN adduser -D -u 1000 supabase
 
 RUN apk add --no-cache ca-certificates