From 7d9a0748bfd06f84eeb63be8a117212210896d73 Mon Sep 17 00:00:00 2001
From: Charles Dabard <257413340+charlesDabard@users.noreply.github.com>
Date: Sun, 5 Apr 2026 00:23:17 +0200
Subject: [PATCH 1/3] fix(security): add apk upgrade to helper and realtime
 Dockerfiles

The production Dockerfile already runs apk upgrade at build time.
The helper and realtime Dockerfiles were missing this step.

The helper (Alpine 3.21) ships with CVE-2025-15467 in OpenSSL 3.3.5.
The realtime (Alpine 3.18) has outdated OpenSSL 3.1.2 with HIGH CVEs.

Adding apk upgrade before apk add makes both images consistent
with the production Dockerfile.
---
 docker/coolify-helper/Dockerfile   | 3 ++-
 docker/coolify-realtime/Dockerfile | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docker/coolify-helper/Dockerfile b/docker/coolify-helper/Dockerfile
index 14879eb96..9c984a5ee 100644
--- a/docker/coolify-helper/Dockerfile
+++ b/docker/coolify-helper/Dockerfile
@@ -28,7 +28,8 @@ ARG NIXPACKS_VERSION
 
 USER root
 WORKDIR /artifacts
-RUN apk add --no-cache bash curl git git-lfs openssh-client tar tini
+RUN apk upgrade --no-cache && \
+    apk add --no-cache bash curl git git-lfs openssh-client tar tini
 RUN mkdir -p ~/.docker/cli-plugins
 RUN if [[ ${TARGETPLATFORM} == 'linux/amd64' ]]; then \
     curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx && \
diff --git a/docker/coolify-realtime/Dockerfile b/docker/coolify-realtime/Dockerfile
index 99157268b..325a30dcc 100644
--- a/docker/coolify-realtime/Dockerfile
+++ b/docker/coolify-realtime/Dockerfile
@@ -10,7 +10,8 @@ ARG TARGETPLATFORM
 ARG CLOUDFLARED_VERSION
 
 WORKDIR /terminal
-RUN apk add --no-cache openssh-client make g++ python3 curl
+RUN apk upgrade --no-cache && \
+    apk add --no-cache openssh-client make g++ python3 curl
 COPY docker/coolify-realtime/package.json ./
 RUN npm i
 RUN npm rebuild node-pty --update-binary

From acd07abcce0f2fa67c472e08265b9027e7e69c07 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 5 Apr 2026 18:18:58 +0200
Subject: [PATCH 2/3] fix(security): run apk upgrade in development Dockerfile

Add `apk upgrade --no-cache` before installing GnuPG and PostgreSQL
repository keys to ensure base Alpine packages are patched.
---
 docker/development/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docker/development/Dockerfile b/docker/development/Dockerfile
index 98b4d2006..77013e1b9 100644
--- a/docker/development/Dockerfile
+++ b/docker/development/Dockerfile
@@ -33,7 +33,8 @@ RUN docker-php-serversideup-set-id www-data $USER_ID:$GROUP_ID && \
     docker-php-serversideup-set-file-permissions --owner $USER_ID:$GROUP_ID --service nginx
 
 # Install PostgreSQL repository and keys
-RUN apk add --no-cache gnupg && \
+RUN apk upgrade --no-cache && \
+    apk add --no-cache gnupg && \
     mkdir -p /usr/share/keyrings && \
     curl -fSsL https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor > /usr/share/keyrings/postgresql.gpg
 

From 4d8a5ba40fb5ecdd8e3ebb97a57c8b6d31d4081f Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sun, 5 Apr 2026 18:32:05 +0200
Subject: [PATCH 3/3] fix(security): bump helper and realtime versions across
 manifests

Update helper to 1.0.13 and realtime to 1.0.12 in constants,
version manifests, and production/windows docker compose files,
including nightly variants.
---
 config/constants.php                     | 4 ++--
 docker-compose.prod.yml                  | 2 +-
 docker-compose.windows.yml               | 2 +-
 other/nightly/docker-compose.prod.yml    | 2 +-
 other/nightly/docker-compose.windows.yml | 2 +-
 other/nightly/versions.json              | 4 ++--
 versions.json                            | 4 ++--
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/config/constants.php b/config/constants.php
index 828493208..9ce471560 100644
--- a/config/constants.php
+++ b/config/constants.php
@@ -3,8 +3,8 @@
 return [
     'coolify' => [
         'version' => '4.0.0-beta.471',
-        'helper_version' => '1.0.12',
-        'realtime_version' => '1.0.11',
+        'helper_version' => '1.0.13',
+        'realtime_version' => '1.0.12',
         'self_hosted' => env('SELF_HOSTED', true),
         'autoupdate' => env('AUTOUPDATE'),
         'base_config_path' => env('BASE_CONFIG_PATH', '/data/coolify'),
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 0bd4ae2dd..e6d2bce54 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -60,7 +60,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.11'
+    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.12'
     ports:
       - "${SOKETI_PORT:-6001}:6001"
       - "6002:6002"
diff --git a/docker-compose.windows.yml b/docker-compose.windows.yml
index ca233356a..00734fb0e 100644
--- a/docker-compose.windows.yml
+++ b/docker-compose.windows.yml
@@ -96,7 +96,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.10'
+    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.12'
     pull_policy: always
     container_name: coolify-realtime
     restart: always
diff --git a/other/nightly/docker-compose.prod.yml b/other/nightly/docker-compose.prod.yml
index 0bd4ae2dd..e6d2bce54 100644
--- a/other/nightly/docker-compose.prod.yml
+++ b/other/nightly/docker-compose.prod.yml
@@ -60,7 +60,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.11'
+    image: '${REGISTRY_URL:-ghcr.io}/coollabsio/coolify-realtime:1.0.12'
     ports:
       - "${SOKETI_PORT:-6001}:6001"
       - "6002:6002"
diff --git a/other/nightly/docker-compose.windows.yml b/other/nightly/docker-compose.windows.yml
index ca233356a..00734fb0e 100644
--- a/other/nightly/docker-compose.windows.yml
+++ b/other/nightly/docker-compose.windows.yml
@@ -96,7 +96,7 @@ services:
       retries: 10
       timeout: 2s
   soketi:
-    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.10'
+    image: 'ghcr.io/coollabsio/coolify-realtime:1.0.12'
     pull_policy: always
     container_name: coolify-realtime
     restart: always
diff --git a/other/nightly/versions.json b/other/nightly/versions.json
index af11ef4d3..a6b1936e6 100644
--- a/other/nightly/versions.json
+++ b/other/nightly/versions.json
@@ -7,10 +7,10 @@
             "version": "4.0.0"
         },
         "helper": {
-            "version": "1.0.12"
+            "version": "1.0.13"
         },
         "realtime": {
-            "version": "1.0.11"
+            "version": "1.0.12"
         },
         "sentinel": {
             "version": "0.0.21"
diff --git a/versions.json b/versions.json
index af11ef4d3..a6b1936e6 100644
--- a/versions.json
+++ b/versions.json
@@ -7,10 +7,10 @@
             "version": "4.0.0"
         },
         "helper": {
-            "version": "1.0.12"
+            "version": "1.0.13"
         },
         "realtime": {
-            "version": "1.0.11"
+            "version": "1.0.12"
         },
         "sentinel": {
             "version": "0.0.21"