From 2b893969d2737c79ccfd2f5646482ca01d2d2b88 Mon Sep 17 00:00:00 2001
From: user <user@rpios.local>
Date: Tue, 24 Feb 2026 12:54:16 +0100
Subject: [PATCH] fix: switch to alpine base image and upgrade pip

Replace python:3.12-slim (Debian) with python:3.12-alpine to reduce
image size and eliminate 68 Debian-inherited CVEs. Upgrade pip to
resolve CVE-2025-8869. Build deps installed temporarily for native
extensions (cryptography) and removed after pip install.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 Containerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Containerfile b/Containerfile
index 8725b35..64d47a0 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,9 +1,12 @@
-FROM python:3.12-slim
+FROM python:3.12-alpine
 
 WORKDIR /app
 
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN apk add --no-cache --virtual .build gcc musl-dev libffi-dev openssl-dev && \
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r requirements.txt && \
+    apk del .build
 
 COPY src/ /app/src/