Pin Dockerfile base images to specific versions #7

New Issue

claude · 2026-02-22T03:31:32Z

claude commented

2026-02-22 03:31:32 +00:00

Problem

Several Dockerfiles use floating tags that produce non-reproducible builds:

polygon/bor/Dockerfile line 2: FROM golang:latest-alpine as builder
polygon/bor/Dockerfile line 20: FROM alpine:latest

Impact

Builds are non-deterministic — the same Dockerfile can produce different images on different days
A breaking change in a base image could silently break node builds
Makes debugging build failures harder

Fix

Pin to specific versions:

FROM golang:1.22-alpine as builder
FROM alpine:3.19

Also audit other Dockerfiles for similar floating tag usage (e.g., dynaconf/Dockerfile uses python:bullseye).

Found during codebase audit

## Problem Several Dockerfiles use floating tags that produce non-reproducible builds: - `polygon/bor/Dockerfile` line 2: `FROM golang:latest-alpine as builder` - `polygon/bor/Dockerfile` line 20: `FROM alpine:latest` ## Impact - Builds are non-deterministic — the same Dockerfile can produce different images on different days - A breaking change in a base image could silently break node builds - Makes debugging build failures harder ## Fix Pin to specific versions: ```dockerfile FROM golang:1.22-alpine as builder FROM alpine:3.19 ``` Also audit other Dockerfiles for similar floating tag usage (e.g., `dynaconf/Dockerfile` uses `python:bullseye`). --- *Found during codebase audit*

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: StakeSquid/ethereum-rpc-docker#7