[Snyk] Security upgrade python from 3.10.6 to 3.14.4

[sihrc]

Snyk has created this PR to fix 3 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• {{cookiecutter.project_slug}}/Dockerfile

We recommend upgrading to python:3.14.4, as this image has only 275 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	CVE-2025-27363 SNYK-DEBIAN11-FREETYPE-9402510	829
	Out-of-bounds Write SNYK-DEBIAN11-GLIBC-5927133	829
	CVE-2023-44487 SNYK-DEBIAN11-NGHTTP2-5953384	829

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Out-of-bounds Write

---

Note

Medium Risk
Updates the runtime/build base image from Python 3.10.6 to 3.14.4, which can introduce incompatibilities in compiled dependencies or runtime behavior despite being a small diff.

Overview
Upgrades the Docker base image used in both the builder and final stages from python:3.10.6 to python:3.14.4 to pick up upstream security fixes (and associated Debian library updates).

^{Reviewed by Cursor Bugbot for commit f5edd75. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit f5edd75. Configure here.}

[cursor]

Python 3.14 incompatible with pinned dependency versions

High Severity

Upgrading the base image to python:3.14.4 breaks the Docker build because the template's pyproject.toml pins dependencies to version ranges incompatible with Python 3.14. Specifically, black = "^23.9.1" caps at <24 (3.14 support added in 25.11.0), pytest = "^7.4.2" caps at <8 (3.14 support added in 8.4+), and pytest-asyncio = "^0.21.1" is similarly too old. The RUN poetry install step in the builder stage will fail to resolve compatible packages.

Additional Locations (1)

• {{cookiecutter.project_slug}}/Dockerfile#L15-L16

 

^{Reviewed by Cursor Bugbot for commit f5edd75. Configure here.}