Upgrade to Python 3.11 and fix most existing vulnerabilities

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:18-bookworm AS frontend-builder
+FROM node:20-trixie AS frontend-builder
 
 RUN npm install --global --force [email protected]
 
@@ -37,12 +37,15 @@ RUN <<EOF
   fi
 EOF
 
-FROM python:3.10-slim-bookworm
+FROM python:3.11-slim-trixie
 
 EXPOSE 5000
 
 RUN useradd --create-home redash
 
+# OPTIONAL: Add Debian trixie-proposed-updates repository to fix more recent vulnerabilities
+# RUN echo "deb http://deb.debian.org/debian trixie-proposed-updates main" > /etc/apt/sources.list.d/trixie-proposed-updates.list
+
 # Ubuntu packages
 RUN apt-get update && \
   apt-get install -y --no-install-recommends \
@@ -74,11 +77,11 @@ RUN apt-get update && \
 
 
 ARG TARGETPLATFORM
-ARG databricks_odbc_driver_url=https://databricks-bi-artifacts.s3.us-east-2.amazonaws.com/simbaspark-drivers/odbc/2.6.26/SimbaSparkODBC-2.6.26.1045-Debian-64bit.zip
+ARG databricks_odbc_driver_url=https://databricks-bi-artifacts.s3.us-east-2.amazonaws.com/simbaspark-drivers/odbc/2.9.2/SimbaSparkODBC-2.9.2.1008-Debian-64bit.zip
 RUN <<EOF
   if [ "$TARGETPLATFORM" = "linux/amd64" ]; then
     curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/microsoft-prod.gpg
-    curl https://packages.microsoft.com/config/debian/12/prod.list > /etc/apt/sources.list.d/mssql-release.list
+    curl https://packages.microsoft.com/config/debian/13/prod.list > /etc/apt/sources.list.d/mssql-release.list
     apt-get update
     ACCEPT_EULA=Y apt-get install  -y --no-install-recommends msodbcsql18
     apt-get clean
@@ -98,18 +101,20 @@ WORKDIR /app
 ENV POETRY_VERSION=1.8.3
 ENV POETRY_HOME=/etc/poetry
 ENV POETRY_VIRTUALENVS_CREATE=false
+ENV PIP_PREFER_BINARY=1
 RUN curl -sSL https://install.python-poetry.org | python3 -
 
-# Avoid crashes, including corrupted cache artifacts, when building multi-platform images with GitHub Actions.
-RUN /etc/poetry/bin/poetry cache clear pypi --all
-
+# Use BuildKit cache mount for Poetry cache to speed up builds
 COPY pyproject.toml poetry.lock ./
 
-ARG POETRY_OPTIONS="--no-root --no-interaction --no-ansi"
+ARG POETRY_OPTIONS="--no-root --no-ansi --no-interaction"
 # for LDAP authentication, install with `ldap3` group
 # disabled by default due to GPL license conflict
 ARG install_groups="main,all_ds,dev"
-RUN /etc/poetry/bin/poetry install --only $install_groups $POETRY_OPTIONS
+RUN --mount=type=cache,target=/root/.cache/pypoetry \
+    /etc/poetry/bin/poetry install --only $install_groups $POETRY_OPTIONS && \
+    /etc/poetry/bin/poetry add "setuptools@latest"
+RUN rm -rf /etc/poetry/venv/lib/python3.11/site-packages/setuptools-65.5.0.dist-info/
 
 COPY --chown=redash . /app
 COPY --from=frontend-builder --chown=redash /frontend/client/dist /app/client/dist

compose.yaml

@@ -5,12 +5,14 @@ x-redash-service: &redash-service
     context: .
     args:
       skip_frontend_build: "true"  # set to empty string to build
+    # Enable BuildKit for faster builds with cache mounts
+    dockerfile: Dockerfile
   volumes:
     - .:/app
   env_file:
     - .env
 x-redash-environment: &redash-environment
-  REDASH_HOST: http://localhost:5001
+  REDASH_HOST: http://localhost:5000
   REDASH_LOG_LEVEL: "INFO"
   REDASH_REDIS_URL: "redis://redis:6379/0"
   REDASH_DATABASE_URL: "postgresql://postgres@postgres/postgres"
@@ -29,7 +31,7 @@ services:
       - postgres
       - redis
     ports:
-      - "5001:5000"
+      - "5000:5000"
       - "5678:5678"
     environment:
       <<: *redash-environment