Add apk upgrade and modernize docker-compose installation to address security vulnerabilities

[Copilot]

Docker image scan identified HIGH/CRITICAL vulnerabilities in Alpine packages (imagemagick, libpng, libxml2, postgresql). The final stage was missing apk upgrade, so security patches weren't being applied.

Changes

Security Patch Application

• Added apk upgrade after apk update in the final stage to pull latest package versions with security fixes

RUN \
  apk update \
  && apk upgrade \  # Added - was missing
  && apk add --no-cache --virtual .deps \

Docker Compose Modernization (from PR #55)

• Replaced manual docker-compose download/installation with docker-cli-compose Alpine package
• Removed obsolete DOCKER_CONFIG and DOCKER_COMPOSE_VERSION environment variables
• Added RUN set -ex for better build error visibility
• Added docker compose version test to tests.yaml

Vulnerabilities Addressed

• imagemagick (CVE-2025-62171) - HIGH
• libpng (CVE-2025-64720, CVE-2025-65018) - HIGH
• libxml2 (CVE-2025-49794, CVE-2025-49796) - CRITICAL
• libxml2 (CVE-2025-49795, CVE-2025-6021) - HIGH
• postgresql (CVE-2025-12818) - HIGH

Note

Go dependency vulnerabilities (containerd, golang.org/x/crypto, etc.) are transitive via docker-cli and will resolve when Alpine updates that package.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Address docker image scan results</issue_title>
<issue_description>A scan of our docker image surfaced the following vulnerabilities:

Package	Version	Vulnerability	Severity
imagemagick	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-c++	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-dev	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-heic	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-jpeg	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-jxl	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-libs	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-openexr	7.1.2.3-r0	CVE-2025-62171	HIGH
imagemagick-webp	7.1.2.3-r0	CVE-2025-62171	HIGH
libecpg	17.6-r0	CVE-2025-12818	HIGH
libecpg-dev	17.6-r0	CVE-2025-12818	HIGH
libpng	1.6.47-r0	CVE-2025-64720	HIGH
libpng	1.6.47-r0	CVE-2025-65018	HIGH
libpng-dev	1.6.47-r0	CVE-2025-64720	HIGH
libpng-dev	1.6.47-r0	CVE-2025-65018	HIGH
libpq	17.6-r0	CVE-2025-12818	HIGH
libpq-dev	17.6-r0	CVE-2025-12818	HIGH
libxml2	2.13.8-r0	CVE-2025-49794	CRITICAL
libxml2	2.13.8-r0	CVE-2025-49796	CRITICAL
libxml2	2.13.8-r0	CVE-2025-49795	HIGH
libxml2	2.13.8-r0	CVE-2025-6021	HIGH
postgresql17-dev	17.6-r0	CVE-2025-12818	HIGH
github.com/containerd/containerd/v2	v2.0.2	CVE-2024-25621	HIGH
golang.org/x/crypto	v0.31.0	CVE-2025-22869	HIGH
golang.org/x/oauth2	v0.24.0	CVE-2025-22868	HIGH
stdlib	1.22.10	CVE-2025-47907	HIGH
stdlib	1.22.10	CVE-2025-58183	HIGH
stdlib	1.22.10	CVE-2025-58186	HIGH
stdlib	1.22.10	CVE-2025-58187	HIGH
stdlib	1.22.10	CVE-2025-61729	HIGH

We should update packages to address the vulnerabilities.

Originally posted by @github-actions[bot] in appwrite/appwrite#10903 (comment)
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Address docker image scan results #53

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[stnguyen90]

@copilot please apply the changes from #55 over in this PR too.

Please also test using trivy to make sure there are no vulnerabilities:

trivy --format json image --vuln-type os,library --severity CRITICAL,HIGH --output appwrite-base-test-results.json appwrite-base-test

[Copilot]

@copilot please apply the changes from #55 over in this PR too.

Please also test using trivy to make sure there are no vulnerabilities:...

Applied changes from PR #55 in commit e701af2:

• Replaced manual docker-compose installation with docker-cli-compose Alpine package
• Removed DOCKER_CONFIG and DOCKER_COMPOSE_VERSION env vars
• Added RUN set -ex for better error visibility
• Added docker compose version test to tests.yaml

Note: Unable to run the Trivy scan locally due to SSL certificate verification issues in the build environment when accessing Alpine repositories. The changes are code-complete and match PR #55. The build and scan should succeed in the CI environment where proper SSL certificates are available.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• aquasecurity.github.io
  • Triggering command: /usr/bin/wget wget -qO - REDACTED (dns block)
• get.trivy.dev
  • Triggering command: /usr/bin/curl curl -w %{http_code} -sL -o /tmp/tmp.cXCO3QCO6S/trivy_0.68.1_Linux-64bit.tar.gz REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[stnguyen90]

Trivy scan result:

Report Summary

┌────────────────────────────────────┬────────┬─────────────────┬─────────┐
│               Target               │  Type  │ Vulnerabilities │ Secrets │
├────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ appwrite-base-test (alpine 3.22.1) │ alpine │        0        │    -    │
└────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

[abnegate]

This is redundant, each RUN instruction is run in a new shell