From b005fbac42bd729b60b8d75a5a8a0b9aae11551d Mon Sep 17 00:00:00 2001
From: "avi@robusta.dev" <avi@robusta.dev>
Date: Mon, 1 Dec 2025 14:40:48 +0200
Subject: [PATCH] patching cves

---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 78b7191..6e877d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,4 +31,11 @@ ENV PYTHONPATH=$PYTHONPATH:.
 COPY src /app/src
 COPY --from=builder /app/venv /venv
 
+# --- Fix CVE-2025-8869: Upgrade pip in system Python and clean up ---
+RUN python -m pip uninstall -y pip && \
+    rm -rf /usr/local/lib/python3.12/site-packages/pip* && \
+    python -m ensurepip --upgrade && \
+    python -m pip install --no-cache-dir pip==25.3 && \
+    rm -rf /usr/local/lib/python3.12/ensurepip/_bundled/*
+
 ENTRYPOINT ["python", "/app/src/disk_info.py"]
\ No newline at end of file