[Snyk] Security upgrade python from 3.9 to latest

[ashmuck]

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:latest, as this image has only 260 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Heap-based Buffer Overflow SNYK-DEBIAN13-IMAGEMAGICK-15044354	714
	Heap-based Buffer Overflow SNYK-DEBIAN13-IMAGEMAGICK-15044354	714
	Release of Invalid Pointer or Reference SNYK-DEBIAN13-IMAGEMAGICK-15044366	714
	Release of Invalid Pointer or Reference SNYK-DEBIAN13-IMAGEMAGICK-15044366	714
	Release of Invalid Pointer or Reference SNYK-DEBIAN13-IMAGEMAGICK-15044366	714

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Heap-based Buffer Overflow

---

Note

Medium Risk
Using python:latest introduces a moving runtime target that can change behavior across builds and potentially break CI unexpectedly, despite being a small diff.

Overview
Updates the GitHub Actions-only Dockerfile base image from python:3.9 to python:latest to pick up newer security fixes in the underlying image.

^{Written by Cursor Bugbot for commit 3b35c85. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Unpinned latest tag breaks build with incompatible Python

High Severity

Changing from python:3.9 to python:latest (currently Python 3.14) will almost certainly break the pip install . step on line 15. The project's setup.py only classifies support for Python 3.6–3.9, and its dependencies have tight upper bounds incompatible with Python 3.12+: invoke>=1.4.1,<2 has known issues on 3.12+, tomlkit>=0.10.0,<0.11.0 lacks 3.12+ support, and Python 3.12 removed distutils/imp which old dependency versions rely on. Additionally, latest is a moving target, making builds non-reproducible.