passbolt
Update outdated dependencies automatically
The image contains a lot of technical debt (debian 12 instead of 13, php 8.2 instead of 8.4, supervisord instead of multirun, ...). Can dependabot or renovate be enabled to update most things automatically?
trivy reports
Total: 230 (UNKNOWN: 1, LOW: 165, MEDIUM: 35, HIGH: 23, CRITICAL: 6)
It's not possible to use the official PHP images or alternatives like https://github.com/serversideup/docker-php?
Hi @reneleonhardt,
Thanks for the suggestions, we really appreaciate your interest!
Debian 13 is in our radar and it comes with php8.4. We have been testing it for a week and it will come soon. However it is highly unlikely that this image will move from debian base image in the near future as debian has proven to be very stable and reliable for us without having too much maintenance.
- Renovate bot sure could be helpful for some issues and indeed is an option that we explored in the past. It might be a good moment to add it.
- Multirun is not part of the debian repositories so we would need a good argument in order to drop supervisord or some other process monitoring tool that is part of debian repositories.
- Trivy report is a bit misleading, specially just pasting the number of vulnerabilites. Some of them are marked as wont fix possibly due to a false positive, for example (https://github.com/aquasecurity/trivy/discussions/6722). Some of this issues will go away with the new build based on trixie.
I wouldn't consider this "technical debt" but in any case we'll bump the image after we confirm our packages work fine for the multiple use cases we support.
If you want to try a lightweight alternative: https://nicolas-van.github.io/multirun/#binary-install
wget -c https://github.com/nicolas-van/multirun/releases/download/1.1.3/multirun-x86_64-linux-gnu-1.1.3.tar.gz -O - | tar -xz