From 82b2e306d2ce2bb50e1f5cce2be28b7a750074ab Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Fri, 20 Mar 2026 21:55:55 -0500
Subject: [PATCH] fix(enterprise): use apt-get install --only-upgrade for
 targeted package updates

apt-get upgrade does not accept package arguments - it upgrades all packages.
Changed to apt-get install --only-upgrade to correctly target specific
packages for security updates (GnuPG CVEs).

Co-authored-by: openhands <openhands@all-hands.dev>
---
 enterprise/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/enterprise/Dockerfile b/enterprise/Dockerfile
index ab1fa72bed..4bbda633b9 100644
--- a/enterprise/Dockerfile
+++ b/enterprise/Dockerfile
@@ -14,7 +14,7 @@ RUN apt-get update && \
     apt-get install -y nodejs && \
     apt-get install -y jq gettext && \
     # Apply security updates for packages with available fixes
-    apt-get upgrade -y \
+    apt-get install --only-upgrade -y \
         libc-bin \
         libc6 \
         libgnutls30 \