Merge pull request #43 from PostHog/tom/openssl

Don't execute `dnf upgrade` during docker build

Author: Piccirello

src/docker/Dockerfile

@@ -2,9 +2,6 @@ FROM ghcr.io/astral-sh/uv:0.9.5 AS uv
 
 FROM public.ecr.aws/lambda/python:3.13
 
-# Patch OpenSSL FIPS provider vulnerability
-RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
-
 # Copy uv from the official image
 COPY --from=uv /uv /bin/uv
 

src/docker/Dockerfile.attribute_syncer

@@ -32,9 +32,6 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
-# Patch OpenSSL FIPS provider vulnerability
-RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
-
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 

src/docker/Dockerfile.requester

@@ -32,9 +32,6 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
-# Patch OpenSSL FIPS provider vulnerability
-RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
-
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 

src/docker/Dockerfile.revoker

@@ -32,9 +32,6 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
-# Patch OpenSSL FIPS provider vulnerability
-RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
-
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}