From 9e2ddc24763c4735aa1982ad6a6a916baa8b1330 Mon Sep 17 00:00:00 2001
From: Omer Zuarets <omer9564@gmail.com>
Date: Mon, 27 Apr 2026 18:20:41 +0300
Subject: [PATCH] fix: bump main image to python:3.10-alpine3.23 to patch
 CVE-2025-70873

Alpine 3.22 ships sqlite-libs 3.49.2-r1, which is vulnerable to
CVE-2025-70873 (info disclosure in SQLite zipfile extension's
zipfileInflate). Alpine 3.23 ships sqlite-libs 3.51.2-r0, which
contains the upstream fix. Note that `apk del sqlite` only removes
the CLI; sqlite-libs remains because Python's stdlib _sqlite3 module
is dynamically linked against it, so a base-image bump is required.
---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 19c20167..96c41c0a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -90,7 +90,9 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 # MAIN IMAGE ----------------------------------------
 # Main image setup (optimized)
 # ---------------------------------------------------
-FROM python:3.10-alpine3.22 AS main
+# Alpine 3.23+ ships sqlite-libs >= 3.51.2 which fixes CVE-2025-70873
+# (info disclosure in SQLite zipfile extension's zipfileInflate).
+FROM python:3.10-alpine3.23 AS main
 
 WORKDIR /app