Skip to content

docker: bump alpine from 3.23.4 to 3.24.1#601

Merged
bgentry merged 1 commit into
masterfrom
dependabot/docker/alpine-3.24.1
Jul 2, 2026
Merged

docker: bump alpine from 3.23.4 to 3.24.1#601
bgentry merged 1 commit into
masterfrom
dependabot/docker/alpine-3.24.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps alpine from 3.23.4 to 3.24.1.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps alpine from 3.23.4 to 3.24.1.

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: 3.24.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file docker labels Jul 1, 2026

@bgentry bgentry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the Alpine runtime image update at head 15376803ceacb67300c0c705c77bd72a75dc667b.

Scope reviewed:

  • Dockerfile and Dockerfile.pro final runtime image changes.
  • Official Docker Hub library/alpine source and pinned digest behavior.
  • Live Docker Hub manifest-list digest verification with skopeo inspect --raw.
  • CI status, with the known Dependabot riverproui image-publish/OIDC failure treated separately from dependency safety.

No blocking supply-chain issue found. The update keeps the image source on official Docker Hub library/alpine, remains digest-pinned, and changes only the final runtime base image from alpine:3.23.4@sha256:5b10f432... to alpine:3.24.1@sha256:28bd5fe8... in both Dockerfiles.

I independently verified that the current raw manifest-list digest for docker.io/library/alpine:3.24.1 is sha256:28bd5fe8b56d1bd048e5babf5b10710ebe0bae67db86916198a6eec434943f8b, matching the PR.

The remaining failed riverproui image checks are consistent with the known Dependabot OIDC/publish limitation, while the ordinary JS/Go checks and riverui image jobs passed.

@bgentry bgentry merged commit 4ebe63d into master Jul 2, 2026
16 of 18 checks passed
@bgentry bgentry deleted the dependabot/docker/alpine-3.24.1 branch July 2, 2026 14:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docker

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant