From 93ccb5bd51aa0b852f78e5c7a3cd76ca57ebfeee Mon Sep 17 00:00:00 2001
From: Radith Samarakoon <jjeli1234@gmail.com>
Date: Fri, 10 Apr 2026 17:12:50 +0530
Subject: [PATCH 1/2] Add openssl upgrade for security patch

---
 python-interpreter/Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/python-interpreter/Dockerfile b/python-interpreter/Dockerfile
index 8a09f91..db6c9ba 100644
--- a/python-interpreter/Dockerfile
+++ b/python-interpreter/Dockerfile
@@ -1,6 +1,9 @@
 # Stage 1: Builder
 FROM python:3.13-alpine AS builder
 
+# Patch CVE-2026-28390
+RUN apk upgrade --no-cache libcrypto3 libssl3
+
 # Install uv for fast dependency management
 COPY --from=ghcr.io/astral-sh/uv:0.10.0 /uv /uvx /bin/
 
@@ -31,6 +34,9 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # VARIANT=full installs Node.js, npm (npx), git, and uv/uvx for MCP server support.
 # VARIANT=slim ships only Python + .venv.
 FROM python:3.13-alpine
+
+# Patch CVE-2026-28390
+RUN apk upgrade --no-cache libcrypto3 libssl3
 ARG VARIANT=full
 
 # Validate VARIANT early so typos fail loudly instead of silently producing a slim build.

From 485a8d3bc92210b8b5da686df05a0cf38152d974 Mon Sep 17 00:00:00 2001
From: Radith Samarakoon <jjeli1234@gmail.com>
Date: Fri, 10 Apr 2026 18:20:19 +0530
Subject: [PATCH 2/2] Address review comments

---
 python-interpreter/Dockerfile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/python-interpreter/Dockerfile b/python-interpreter/Dockerfile
index db6c9ba..c0f5b05 100644
--- a/python-interpreter/Dockerfile
+++ b/python-interpreter/Dockerfile
@@ -1,9 +1,6 @@
 # Stage 1: Builder
 FROM python:3.13-alpine AS builder
 
-# Patch CVE-2026-28390
-RUN apk upgrade --no-cache libcrypto3 libssl3
-
 # Install uv for fast dependency management
 COPY --from=ghcr.io/astral-sh/uv:0.10.0 /uv /uvx /bin/
 
@@ -35,7 +32,7 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # VARIANT=slim ships only Python + .venv.
 FROM python:3.13-alpine
 
-# Patch CVE-2026-28390
+# Upgrade OpenSSL libs to pick up security fixes not yet in the base image
 RUN apk upgrade --no-cache libcrypto3 libssl3
 ARG VARIANT=full