Skip to content

[Snyk] Security upgrade python from 3.13.1-alpine to 3.14.2-alpine #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kevin-benton wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade python from 3.13.1-alpine to 3.14.2-alpine #285

kevin-benton wants to merge 2 commits into from

Conversation

@kevin-benton
Copy link
Contributor

@kevin-benton kevin-benton commented Jan 10, 2026

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

  • docker/python-plotting/Dockerfile

We recommend upgrading to python:3.14.2-alpine, as this image has only 0 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
critical severity Integer Overflow or Wraparound
SNYK-ALPINE321-SQLITE-12675067		   264  
critical severity CVE-2025-6965
SNYK-ALPINE321-SQLITE-11191065		   263  
high severity Integer Overflow or Wraparound
SNYK-ALPINE321-SQLITE-9712340		   161  
high severity CVE-2025-26519
SNYK-ALPINE321-MUSL-8720634		   139  
high severity CVE-2025-26519
SNYK-ALPINE321-MUSL-8720634		   139  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Integer Overflow or Wraparound

@kevin-benton
Copy link
Contributor Author

kevin-benton commented Jan 10, 2026

Merge Risk: High

This upgrade to Python 3.14 introduces a significant breaking change.

Highlights:

  • Breaking Change: Code using return, break, or continue to exit a finally block will now raise a SyntaxError. This is part of PEP 765 and will require code modification. [5, 6]
  • Other Changes: The release also officially supports free-threaded (no-GIL) Python, defers the evaluation of type annotations, and adds a new zstd compression module. [1, 2, 5]

Source: Python 3.14 Release Notes
Recommendation: Before merging, search your codebase for any return, break, or continue statements within finally blocks and refactor them.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@adthrasher adthrasher requested a review from Copilot January 12, 2026 20:44
Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Python base image in the plotting Dockerfile from version 3.13.1-alpine to 3.14.2-alpine to address critical and high severity security vulnerabilities in Alpine Linux dependencies (sqlite and musl).

Changes:

  • Updates the Python Docker base image version to resolve 4 security vulnerabilities with severity scores ranging from 139 to 264

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@adthrasher
Copy link
Member

adthrasher commented Jan 12, 2026

The corresponding package.json needs to have the version updated. All references to the image also need to be bumped to the new version.

Copilot AI mentioned this pull request Jan 13, 2026
Merged
6 tasks
@adthrasher
fix(docker): upgrade python-plotting to 3.14.2-alpine for security pa…
36c1bc2 
…tches (#287)

Upgrades Python base image from 3.13.1-alpine to 3.14.2-alpine to
address 4 vulnerabilities in SQLite and musl (2 critical, 2 high
severity).

Before submitting this PR, please make sure:

- [x] You have added a few sentences describing the PR here.
- [x] The code passes all CI tests without any errors or warnings.
- [x] You have added tests (when appropriate).
- [x] You have added an entry in any relevant CHANGELOGs (when
appropriate).
- [x] If you have made any changes to the `scripts/` or `docker/`
directories, please ensure any image versions have been incremented
accordingly!
- [x] You have updated the README or other documentation to account for
these changes (when appropriate).

## Changes

- `docker/python-plotting/Dockerfile`: Base image `python:3.13.1-alpine`
→ `python:3.14.2-alpine`
- `docker/python-plotting/package.json`: Version bump `2.0.6` → `2.0.7`
- `workflows/methylation/methylation-cohort.wdl`: Container reference
updated to `2.0.7`

## Security Impact

Fixes vulnerabilities:
- SNYK-ALPINE321-SQLITE-12675067 (Critical, CVE score 264)
- SNYK-ALPINE321-SQLITE-11191065 (Critical, CVE-2025-6965, CVE score
263)
- SNYK-ALPINE321-SQLITE-9712340 (High, CVE score 161)
- SNYK-ALPINE321-MUSL-8720634 (High, CVE-2025-26519, CVE score 139)

<!-- START COPILOT CODING AGENT SUFFIX -->



<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> Pull Request: #285
> 
> 


</details>



<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: adthrasher <1165729+adthrasher@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adthrasher adthrasher adthrasher approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kevin-benton @adthrasher @snyk-bot