Open ginkel opened 2 years ago
If I'm not mistaken the official Docker image is built using GitHub Actions. The image job could be scheduled to be rebuild periodically. Would be great if the scheduled action would check if there are any pending critical updates before building and publishing a new image, to keep the noise for users to a minimum.
For Python dependencies we could use GitHub's Dependabot.
I think Dependabot is already used, I saw a few pull requests from the bot ...
Yes, you're right. E.g. #1304 #1288.
Hi there,
initially, let me say "thanks" for creating and maintaining paperless-ng. As Docker is my preferred deployment method, I had a look at the
jonaswinkler/paperless-ng
Docker image. AFAICS, this image currently does not seem to get updated when security issues are fixed as revealed using a trivy scan:Just re-building the image gets rid of the OS vulnerabilities, which I set up as
tgbyte/paperless-ng
. In the long run, however, I think it would be great if the official image came with regular security updates.This leaves Python package vulnerabilities, the relevance of which I am not sure about (and that would probably need to be fixed by a new release that updates
requirements.txt
).Thanks, Thilo