[Snyk] Security upgrade python from 3.9.15 to latest

[sihrc]

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• readme_docs/Dockerfile

We recommend upgrading to python:latest, as this image has only 259 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	829
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	829

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Write

---

Note

Medium Risk
Base-image upgrades can introduce unexpected runtime or OS package changes, even though the diff is minimal and isolated to documentation tooling.

Overview
Updates readme_docs/Dockerfile to use python:latest instead of the pinned python:3.9.15 base image to pick up newer upstream security fixes.

^{Written by Cursor Bugbot for commit 70ed37b. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Floating latest tag breaks Docker build reproducibility
  • Replaced python:latest with python:3.13 to ensure reproducible builds with locked dependencies.

Or push these changes by commenting:

@cursor push 9a3f15ce1d

Preview (9a3f15ce1d)

diff --git a/readme_docs/Dockerfile b/readme_docs/Dockerfile
--- a/readme_docs/Dockerfile
+++ b/readme_docs/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:latest
+FROM python:3.13
 
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

_{This Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.}

[cursor]

Floating latest tag breaks Docker build reproducibility

Medium Severity

Using python:latest instead of a pinned version tag (e.g. python:3.13) makes this Docker build non-reproducible and fragile. The uv sync --locked command on line 8 requires the lockfile to match the current environment — when latest advances to a new Python minor version (e.g. 3.14, 3.15), the locked dependencies may become incompatible or unavailable for that version, causing build failures. Pinned dependencies like msgpack-numpy==0.4.4.3 are especially at risk of not supporting future Python releases.