From 7d9a0748bfd06f84eeb63be8a117212210896d73 Mon Sep 17 00:00:00 2001
From: Charles Dabard <257413340+charlesDabard@users.noreply.github.com>
Date: Sun, 5 Apr 2026 00:23:17 +0200
Subject: [PATCH] fix(security): add apk upgrade to helper and realtime
 Dockerfiles

The production Dockerfile already runs apk upgrade at build time.
The helper and realtime Dockerfiles were missing this step.

The helper (Alpine 3.21) ships with CVE-2025-15467 in OpenSSL 3.3.5.
The realtime (Alpine 3.18) has outdated OpenSSL 3.1.2 with HIGH CVEs.

Adding apk upgrade before apk add makes both images consistent
with the production Dockerfile.
---
 docker/coolify-helper/Dockerfile   | 3 ++-
 docker/coolify-realtime/Dockerfile | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docker/coolify-helper/Dockerfile b/docker/coolify-helper/Dockerfile
index 14879eb96..9c984a5ee 100644
--- a/docker/coolify-helper/Dockerfile
+++ b/docker/coolify-helper/Dockerfile
@@ -28,7 +28,8 @@ ARG NIXPACKS_VERSION
 
 USER root
 WORKDIR /artifacts
-RUN apk add --no-cache bash curl git git-lfs openssh-client tar tini
+RUN apk upgrade --no-cache && \
+    apk add --no-cache bash curl git git-lfs openssh-client tar tini
 RUN mkdir -p ~/.docker/cli-plugins
 RUN if [[ ${TARGETPLATFORM} == 'linux/amd64' ]]; then \
     curl -sSL https://github.com/docker/buildx/releases/download/v${DOCKER_BUILDX_VERSION}/buildx-v${DOCKER_BUILDX_VERSION}.linux-amd64 -o ~/.docker/cli-plugins/docker-buildx && \
diff --git a/docker/coolify-realtime/Dockerfile b/docker/coolify-realtime/Dockerfile
index 99157268b..325a30dcc 100644
--- a/docker/coolify-realtime/Dockerfile
+++ b/docker/coolify-realtime/Dockerfile
@@ -10,7 +10,8 @@ ARG TARGETPLATFORM
 ARG CLOUDFLARED_VERSION
 
 WORKDIR /terminal
-RUN apk add --no-cache openssh-client make g++ python3 curl
+RUN apk upgrade --no-cache && \
+    apk add --no-cache openssh-client make g++ python3 curl
 COPY docker/coolify-realtime/package.json ./
 RUN npm i
 RUN npm rebuild node-pty --update-binary