Update deps & improve image security

[NielsCodes]

Purpose

Bumps dependencies to fix critical and high severity CVEs.
Also introduces security measures for safer Docker images.

Proposal

• Update Django and regenerate poetry lock files.
• Update NextJS and transient dependencies.
• Add non-root user to Dockerfiles.
• Prevent installing recommended dependencies in apt-get install commands.
• Use Alpine base image for frontend to avoid critical CVEs in zlib. Also leads to 5% smaller image size.
• Bump base image versions for mta-out and rspamd Dockerfiles.

Summary by CodeRabbit

• Chores

  • Updated Django to version 5.1.15
  • Updated Next.js to version 15.5.9
  • Updated i18next-cli to version 1.32.0
  • Optimized container base images for improved efficiency
  • Updated Python runtime to version 3.13.7

• Security

  • Hardened container security by implementing non-root user execution

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR updates base images across multiple Docker services to newer patch versions, bumps application dependencies (Django, Next.js, i18next-cli), and implements non-root execution with adjusted file permissions across test and runtime containers for improved security.

Changes

Cohort / File(s)	Summary
Dependency Version Bumps src/backend/pyproject.toml, src/frontend/package.json	Bumps Django from 5.1.13 to 5.1.15, Next.js from 15.5.8 to 15.5.9, and i18next-cli from 1.5.5 to 1.32.0.
Base Image Updates src/frontend/Dockerfile, src/mpa/rspamd/Dockerfile, src/mta-out/Dockerfile, src/socks-proxy/Dockerfile	Updates base images: node:22-slim → node:22-alpine, debian:12.10-slim → debian:13.2-slim, python:3.13.5-slim-bookworm → python:3.13.7-slim-trixie. Consolidates RUN commands in socks-proxy with --no-install-recommends and apt list cleanup.
Non-Root User & Permission Changes src/mpa/rspamd/Dockerfile, src/mpa/tests/Dockerfile, src/socks-proxy/Dockerfile, src/socks-proxy/tests/Dockerfile	Adds USER directives for non-root execution (_rspamd, nobody) and adjusts file ownership via chown to align runtime permissions with designated users.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Notes for review:
  • Verify that Alpine and Debian version changes do not introduce package availability issues
  • Confirm non-root user permissions do not break runtime services (especially nginx config writes in rspamd and pytest cache in test containers)
  • Check that i18next-cli major version bump (1.5.5 → 1.32.0) does not introduce breaking changes for build workflows

Poem

🐰 Version bumps and Docker dreams,
Alpine slims and Debian schemes,
No more root, we're secure and tight,
Every container now runs right!
Safety hopping through the night! 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update deps & improve image security' accurately reflects the main objectives of the changeset, which includes dependency updates and security improvements (non-root users, Alpine base image, and CVE fixes).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cd4a45b and b8921d9.

📒 Files selected for processing (6)

• src/frontend/Dockerfile (1 hunks)
• src/mpa/rspamd/Dockerfile (2 hunks)
• src/mpa/tests/Dockerfile (1 hunks)
• src/mta-out/Dockerfile (1 hunks)
• src/socks-proxy/Dockerfile (2 hunks)
• src/socks-proxy/tests/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• src/mta-out/Dockerfile
• src/mpa/rspamd/Dockerfile
• src/frontend/Dockerfile
• src/mpa/tests/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: test-back
• GitHub Check: test-front
• GitHub Check: check-api-state
• GitHub Check: lint-back
• GitHub Check: docker-publish-socks-proxy / docker-build-push
• GitHub Check: test-e2e
• GitHub Check: build-front
• GitHub Check: lint-front

🔇 Additional comments (3)

src/socks-proxy/Dockerfile (2)

7-7: LGTM! Efficient image layer consolidation.

The consolidated RUN command with --no-install-recommends and apt list cleanup follows Docker best practices for reducing image size and attack surface.

---

26-27: Verify that sockd daemon can run without write permissions.

Running as nobody is a security improvement, but the sockd daemon requires write access to /tmp for lockfiles and memory-mapped files, and may need to write PID files. Ensure that:

• The entrypoint.sh script doesn't attempt to write to read-only locations
• The sockd daemon is configured to write to /tmp or another writable location for the nobody user
• The PID file is either pre-created or directed to a writable location that nobody can access
• No bind-mounted volumes require write access from the container

src/socks-proxy/tests/Dockerfile (1)

18-21: LGTM! This addresses the previous review concern.

The addition of chown -R nobody:nogroup /app before switching to USER nobody correctly resolves the write permission issues for pytest cache and coverage files that were flagged in the previous review. The nobody user will now be able to create .pytest_cache and write coverage output files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/mta-out/Dockerfile (1)

66-82: Critical: Permission mismatch between directory creation and runtime user.

Lines 66-72 create directories and certificates as root:

• /etc/postfix/sasl
• /var/spool/postfix/private and /var/spool/postfix/public
• SSL certificates via make-ssl-cert

However, line 81 switches to USER nobody before the entrypoint runs. The nobody user will lack write permissions to these root-owned directories, which postfix requires for queue management and SASL authentication.

Solutions:

1. Add RUN chown -R nobody:nogroup commands for the necessary directories after creation
2. Handle permission setup in entrypoint.sh before dropping privileges
3. Use a dedicated postfix user instead of nobody

🔎 Example fix - adjust ownership before switching users:

 # Ensure self-signed certificates are available (can be overridden by env vars/mounts)
 RUN make-ssl-cert generate-default-snakeoil
 
 # We don't need the default sasldb2 file, we use the one in the chroot jail.
 RUN rm -rf /etc/sasldb2
 
+# Adjust ownership for nobody user
+RUN chown -R nobody:nogroup /var/spool/postfix /etc/postfix/sasl
+
 ENV PATH="/venv/bin:$PATH"
 ENV VIRTUAL_ENV=/venv
 ENV VIRTUAL_ENV_PROMPT=venv
 
 USER nobody

Alternatively, verify that entrypoint.sh handles these permissions appropriately:

#!/bin/bash
# Description: Check if entrypoint.sh manages permissions for postfix directories

rg -n -C5 'chown|chmod|setcap|gosu|su-exec' src/mta-out/entrypoint.sh

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6558bf8 and cd4a45b.

⛔ Files ignored due to path filters (3)

• src/backend/poetry.lock is excluded by !**/*.lock
• src/frontend/package-lock.json is excluded by !**/package-lock.json
• src/mta-in/poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (9)

• src/backend/pyproject.toml (1 hunks)
• src/frontend/Dockerfile (1 hunks)
• src/frontend/package.json (2 hunks)
• src/mpa/rspamd/Dockerfile (2 hunks)
• src/mpa/tests/Dockerfile (1 hunks)
• src/mta-in/Dockerfile (1 hunks)
• src/mta-out/Dockerfile (2 hunks)
• src/socks-proxy/Dockerfile (2 hunks)
• src/socks-proxy/tests/Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: build-front
• GitHub Check: docker-publish-socks-proxy / docker-build-push
• GitHub Check: test-e2e
• GitHub Check: test-front
• GitHub Check: lint-back
• GitHub Check: lint-front
• GitHub Check: check-api-state
• GitHub Check: test-back

🔇 Additional comments (9)

src/mta-out/Dockerfile (2)

83-83: Explicit entrypoint improves clarity.

Adding an explicit ENTRYPOINT instruction enhances the Dockerfile's readability and makes the container's entry point clear.

---

2-2: Base image update from Bookworm to Trixie.

The update from python:3.13.5-slim-bookworm (Debian 12) to python:3.13.7-slim-trixie (Debian 13 stable) upgrades both Python and the base OS. The patch version bump (3.13.5 → 3.13.7) includes security and bug fixes. Over 63% of packages are updated in Trixie, with Python upgraded to 3.13. Applications should note Debian's adoption of PEP 668, which restricts system-wide pip installations—containerized applications typically handle this transparently.

src/socks-proxy/Dockerfile (2)

7-7: Improved image size with --no-install-recommends.

Consolidating the apt-get command with --no-install-recommends reduces image size by avoiding unnecessary packages while still maintaining required build dependencies.

---

26-27: SOCKS proxy port configuration is secure.

The Dante SOCKS proxy is configured to listen on port 1080 (non-privileged, ≥1024) by default through the PROXY_INTERNAL_PORT environment variable in entrypoint.sh. This means the nobody user has the necessary permissions to bind without requiring additional capabilities (setcap), and the security improvement from running as non-root is fully realized.

src/frontend/Dockerfile (1)

1-1: Alpine compatibility verified—no problematic native dependencies found.

Alpine uses musl libc instead of glibc, which can cause compatibility issues with certain packages. However, this project's dependencies are primarily pure JavaScript libraries (Next.js, React, and ecosystem tools) with no known glibc-dependent native modules like bcrypt, canvas, or sqlite3. The presence of @rollup/rollup-linux-x64-musl in optionalDependencies indicates Alpine awareness, and modern Sass versions provide pre-built binaries for musl environments. The switch to node:22-alpine is safe for this codebase.

src/frontend/package.json (1)

68-68: Review of i18next-cli version 1.32.0 configuration is unnecessary—the current setup is properly configured.

The project uses a well-formed i18next.config.ts with modern settings (keySeparator: false, nsSeparator: false) and maintains 10 language locales across multiple namespaces. While the version jump is significant, no documented breaking changes exist between 1.5.5 and 1.32.0 in i18next-cli's public records. The extraction script (i18next-cli extract) is correctly defined in package.json, and the locale output structure is properly organized. If the extraction currently works without errors, no configuration updates are required.

src/mpa/tests/Dockerfile (1)

10-10: Running tests as nobody aligns with security best practices for non-root container execution. However, since these tests perform only HTTP requests to the rspamd service without creating files or artifacts, the specific file permission concerns mentioned are not applicable to this test suite.

src/mpa/rspamd/Dockerfile (2)

4-4: LGTM! Security improvement by reducing attack surface.

Adding --no-install-recommends prevents unnecessary package installations, reducing both the image size and potential security vulnerabilities. This aligns with container security best practices.

---

1-1: Debian 13 is now stable and suitable for production. Debian 13 (trixie) is the current stable distribution, initially released on August 9th, 2025, with version 13.2 released on November 15th, 2025. It is supported for the next 5 years. The base image update is appropriate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Upgrade to Django 5.1.15 addresses critical SQL injection and DoS vulnerabilities.

The patch version bump from 5.1.13 to 5.1.15 fixes a high-severity SQL injection vulnerability in FilteredRelation on PostgreSQL and a moderate-severity XML deserialization DoS vulnerability. Additionally, intermediate version 5.1.14 fixes Windows-specific DoS issues in redirect handling. The upgrade is security-critical.

🤖 Prompt for AI Agents

In src/backend/pyproject.toml at line 32, the Django dependency should be
upgraded to 5.1.15; update the version string from "django==5.1.13" (or current
minor pin) to "django==5.1.15", then regenerate/refresh your lockfile (poetry
lock / pip-tools compile / update dependency manager) and run the test suite to
ensure compatibility; commit the updated pyproject.toml and lockfile together.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical security update required — upgrade to Next.js 15.5.9.

The update from 15.5.8 to 15.5.9 addresses multiple critical vulnerabilities in React Server Components, including CVE-2025-55182 (CVSS 10.0 RCE), CVE-2025-55184 (CVSS 7.5 DoS), and CVE-2025-55183 (CVSS 5.3 source code exposure). The initial fix for CVE-2025-55184 was incomplete; a complete fix has been issued under CVE-2025-67779. Immediate upgrade is essential.

🤖 Prompt for AI Agents

In src/frontend/package.json around line 43, the Next.js dependency must be
upgraded from 15.5.8 to 15.5.9 to address multiple critical CVEs; update the
"next" entry to "15.5.9", then run your package manager (npm/yarn/pnpm) to
regenerate the lockfile (package-lock.json/yarn.lock/pnpm-lock.yaml), run the
test suite and a dependency audit (npm audit or equivalent), and commit both the
package.json and updated lockfile.