From 8e88a7a277cf058e64b157db8fdddd93c609ca24 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 18 Sep 2025 11:25:33 -0400 Subject: [PATCH] fix: resolve critical and high CVEs in enterprise Docker image (#10987) Co-authored-by: openhands --- enterprise/Dockerfile | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/enterprise/Dockerfile b/enterprise/Dockerfile index ab858fb2d3..4264258d09 100644 --- a/enterprise/Dockerfile +++ b/enterprise/Dockerfile @@ -7,14 +7,28 @@ LABEL com.datadoghq.tags.service="deploy" LABEL com.datadoghq.tags.env="${DD_ENV}" # Install Node.js v20+ and npm (which includes npx) +# Apply security updates to fix CVEs RUN apt-get update && \ apt-get install -y curl && \ curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \ apt-get install -y nodejs && \ apt-get install -y jq gettext && \ - apt-get clean + # Apply security updates for packages with available fixes + apt-get upgrade -y \ + libc-bin \ + libc6 \ + libgnutls30 \ + libsqlite3-0 \ + perl-base && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* -RUN pip install alembic psycopg2-binary cloud-sql-python-connector pg8000 gspread stripe python-keycloak asyncpg sqlalchemy[asyncio] resend tenacity slack-sdk ddtrace posthog "limits==5.2.0" coredis prometheus-client shap scikit-learn pandas numpy +# Install Python packages with security fixes +RUN pip install alembic psycopg2-binary cloud-sql-python-connector pg8000 gspread stripe python-keycloak asyncpg sqlalchemy[asyncio] resend tenacity slack-sdk ddtrace posthog "limits==5.2.0" coredis prometheus-client shap scikit-learn pandas numpy && \ + # Update packages with known CVE fixes + pip install --upgrade \ + "mcp>=1.10.0" \ + "pillow>=11.3.0" WORKDIR /app COPY enterprise .