fix(security): add apk upgrade to helper and realtime Dockerfiles

The production Dockerfile already runs apk upgrade at build time. The helper and realtime Dockerfiles were missing this step. The helper (Alpine 3.21) ships with CVE-2025-15467 in OpenSSL 3.3.5. The realtime (Alpine 3.18) has outdated OpenSSL 3.1.2 with HIGH CVEs. Adding apk upgrade before apk add makes both images consistent with the production Dockerfile.
2026-04-05 00:23:17 +02:00 · 2026-04-05 00:23:17 +02:00 · 7d9a0748bf
commit 7d9a0748bf
parent ffb5045c6a
2 changed files with 4 additions and 2 deletions
--- a/docker/coolify-helper/Dockerfile
+++ b/docker/coolify-helper/Dockerfile
@ -28,7 +28,8 @@ ARG NIXPACKS_VERSION

 USER root
 WORKDIR /artifacts
-RUN apk add --no-cache bash curl git git-lfs openssh-client tar tini
+RUN apk upgrade --no-cache && \
+    apk add --no-cache bash curl git git-lfs openssh-client tar tini
 RUN mkdir -p ~/.docker/cli-plugins
 RUN if [[ ${TARGETPLATFORM} == 'linux/amd64' ]]; then \
    curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx && \
--- a/docker/coolify-realtime/Dockerfile
+++ b/docker/coolify-realtime/Dockerfile
@ -10,7 +10,8 @@ ARG TARGETPLATFORM
 ARG CLOUDFLARED_VERSION

 WORKDIR /terminal
-RUN apk add --no-cache openssh-client make g++ python3 curl
+RUN apk upgrade --no-cache && \
+    apk add --no-cache openssh-client make g++ python3 curl
 COPY docker/coolify-realtime/package.json ./
 RUN npm i
 RUN npm rebuild node-pty --update-binary