[Snyk] Security upgrade python from 3.9.15 to 3.13.12#444
[Snyk] Security upgrade python from 3.9.15 to 3.13.12#444
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-5927133 - https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-5927133 - https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-5927133 - https://snyk.io/vuln/SNYK-DEBIAN11-GLIBC-5927133 - https://snyk.io/vuln/SNYK-DEBIAN11-LIBWEBP-5893094
ashmuck
requested review from
Sung96kim,
arsandhu,
goatrocks,
jacobmanderson,
nicholas-lockhart and
sihrc
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| @@ -1,4 +1,4 @@ | |||
| FROM python:3.9.15 | |||
| FROM python:3.13.12 | |||
There was a problem hiding this comment.
apt python3-sphinx installs for wrong Python version
Low Severity
With the base image change from python:3.9.15 (Debian Bullseye, system Python 3.9) to python:3.13.12 (Debian Bookworm, system Python 3.11), the apt-get install python3-sphinx now installs Sphinx for system Python 3.11 rather than the container's primary Python 3.13. This makes the apt-installed Sphinx package effectively useless — project packages from uv sync are installed for Python 3.13, so the apt-installed sphinx-build (using Python 3.11) cannot access them. The build_docs.sh script works around this by pip-installing sphinx extensions (which pulls in Sphinx for Python 3.13), but the apt package now adds unnecessary bloat and a potentially confusing second Python installation.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
readme_docs/DockerfileWe recommend upgrading to
python:3.13.12, as this image has only 261 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN11-GLIBC-5927133
SNYK-DEBIAN11-GLIBC-5927133
SNYK-DEBIAN11-GLIBC-5927133
SNYK-DEBIAN11-GLIBC-5927133
SNYK-DEBIAN11-LIBWEBP-5893094
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Out-of-bounds Write
Note
Medium Risk
Updates the Docker base image across a major Python version jump, which can introduce runtime or dependency incompatibilities even though the change is confined to the docs container.
Overview
Upgrades
readme_docs/Dockerfilebase image frompython:3.9.15topython:3.13.12to pick up upstream security fixes in the image.Written by Cursor Bugbot for commit dd5d468. This will update automatically on new commits. Configure here.