Skip to content

build: upgrade base images from Debian bookworm to trixie#7725

Open
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:build/debian-trixie-base-images
Open

build: upgrade base images from Debian bookworm to trixie#7725
wtfiwtz wants to merge 3 commits into
getredash:masterfrom
orchestrated-io:build/debian-trixie-base-images

Conversation

@wtfiwtz
Copy link
Copy Markdown

@wtfiwtz wtfiwtz commented Jun 2, 2026

What type of PR is this?

  • Refactor

Description

Upgrades Docker base images from Debian 12 (bookworm) to Debian 13 (trixie):

  • Node builder base: node:24-bookwormnode:24-trixie
  • Python runtime base: python:3.13-slim-bookwormpython:3.13-slim-trixie
  • Add trixie-security, trixie-updates, and trixie-proposed-updates apt repos
  • Apply targeted security upgrades before installing packages
  • MSSQL packages repo: debian/12debian/13 (required for trixie)

This upgrade moves to Debian 13 (trixie) to receive current security maintenance and Debian Security Advisory (DSA) fixes at image build time.

The trixie-security pocket is applied with priority to ensure OS-level CVE remediations (OpenSSL, libxml2, nghttp2, libpq, etc.) are picked up when the image is built.

How is this tested?

  • Manually (container rebuild with make compose_build required for full validation)

Related Tickets & Documents

Split from #7718 per @zachliu's review feedback to separate base image upgrades from build toolchain changes.

Part of the security vulnerability remediation work tracked in #7711.

Note

This PR is marked as draft until manual container testing is complete.

Made with Cursor

wtfiwtz and others added 3 commits June 2, 2026 10:02
@wtfiwtz @cursoragent
build: upgrade base images from Debian bookworm to trixie
566e8a5 
- Node builder base: node:24-bookworm → node:24-trixie
- Python runtime base: python:3.13-slim-bookworm → python:3.13-slim-trixie
- Add trixie-security, trixie-updates, and trixie-proposed-updates apt repos
- Apply targeted security upgrades before installing packages
- MSSQL packages repo: debian/12 → debian/13 (required for trixie)

This upgrade moves to Debian 13 (trixie) to receive current security
maintenance and Debian Security Advisory (DSA) fixes at image build time.

The trixie-security pocket is applied with priority to ensure OS-level
CVE remediations (OpenSSL, libxml2, nghttp2, libpq, etc.) are picked up
when the image is built.

Related: split from getredash#7718
Co-authored-by: Cursor <cursoragent@cursor.com>
@wtfiwtz
Merge branch 'master' into build/debian-trixie-base-images
ca0da4d
@wtfiwtz
core-js fix
67c4473
@wtfiwtz wtfiwtz marked this pull request as ready for review June 2, 2026 11:42
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

@wtfiwtz wtfiwtz mentioned this pull request Jun 4, 2026
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wtfiwtz