Open pgavlin opened 2 years ago
Updating dependencies on a more regular cadence would be useful. In the past Snyk has indicated there are vulns in our base images that have been patched, but since we don't update our images except when we release a new CLI release, we won't get those patches until the next release.
The problem then is that image tags are no longer immutable, which I'd consider extremely undesirable.
Even when commands run by the Dockerfile are identical up to the installation of
pulumi
, the latest image does not share any layers with prior images. This may be by-design--it ensures that each new version is actually runningyum update
, amongst other things--but it means that even ifpulumi/pulumi:v1.2.3
is present locally,docker pull pulumi/pulumi:v1.2.4
will always pull all layers besides the base (python:3.9-slim
). This means that pulling a new version ofpulumi/pulumi
ends up downloading something like 750MB of data.It might be nice to e.g. factor out the installation of the dependencies into its own image that can serve as the base image for
pulumi/pulumi
. That base image could then be updated at its own cadence, and new versions ofpulumi/pulumi
would be able to share all layers up to the installation of Pulumi itself.