[Snyk] Security upgrade python from 3.9 to 3.13.12#6
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN13-IMAGEMAGICK-15044354 - https://snyk.io/vuln/SNYK-DEBIAN13-IMAGEMAGICK-15044354 - https://snyk.io/vuln/SNYK-DEBIAN13-IMAGEMAGICK-15044354 - https://snyk.io/vuln/SNYK-DEBIAN13-IMAGEMAGICK-15044366 - https://snyk.io/vuln/SNYK-DEBIAN13-IMAGEMAGICK-15044366
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| @@ -1,5 +1,5 @@ | |||
| # This Dockerfile is only for GitHub Actions | |||
| FROM python:3.9 | |||
| FROM python:3.13.12 | |||
There was a problem hiding this comment.
Python 3.13 upgrade breaks pinned dependency compatibility
High Severity
Upgrading from python:3.9 to python:3.13.12 jumps four major versions while setup.py pins dependencies to old ranges only tested through Python 3.9. Notably, invoke>=1.4.1,<2 (used via from invoke import run in dist.py and pre_commit.py) has known inspect.getargspec removal issues on Python 3.11+, and twine>=3,<4 relies on distutils which was removed in Python 3.12. These pinned constraints prevent installing newer compatible versions, risking build or runtime failures.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.
Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.
Snyk changed the following file(s):
DockerfileWe recommend upgrading to
python:3.13.12, as this image has only 260 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.Vulnerabilities that will be fixed with an upgrade:
SNYK-DEBIAN13-IMAGEMAGICK-15044354
SNYK-DEBIAN13-IMAGEMAGICK-15044354
SNYK-DEBIAN13-IMAGEMAGICK-15044354
SNYK-DEBIAN13-IMAGEMAGICK-15044366
SNYK-DEBIAN13-IMAGEMAGICK-15044366
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Heap-based Buffer Overflow
Note
Medium Risk
Low scope change, but it upgrades the container’s Python runtime from 3.9 to 3.13 which can break dependencies or scripts executed in GitHub Actions.
Overview
Updates the GitHub Actions
Dockerfilebase image frompython:3.9topython:3.13.12to pick up newer OS/Python security fixes and reduce known vulnerabilities. No other build steps or action behavior are changed.Written by Cursor Bugbot for commit cce42d3. This will update automatically on new commits. Configure here.