Bump container base images to fix CVEs

[mathieu-benoit]

Bump container base images to fix CVEs.

Summary:

• cartservice --> 6 CVEs fixed
• checkoutservice --> 20 CVEs fixed + 12.5MB saved locally on disk
• frontend --> 20 CVEs fixed + 14MB saved locally on disk
• productcatalogservice --> 20 CVEs fixed + 17.8MB saved locally on disk
• shippingservice --> 20 CVEs fixed + 11.7MB saved locally on disk
• adservice --> no significant changes, just speed up build time
• currencyservice --> 10 CVEs fixed
• paymentservice --> 10 CVEs fixed
• recommendationservice --> 11 CVEs fixed + 3.2MB saved locally on disk
• emailservice --> 11 CVEs fixed + 3.2MB saved locally on disk
• loadgenerator --> 11 CVEs fixed

Fixing all these other PRs/Issues:

• chore(deps): update dotnet monorepo to v10 (major) - autoclosed #3149
• fix(deps): update golang - autoclosed #2954
• Outdated Dependencies with Known Vulnerabilities #3158
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /src/frontend #3159
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /src/shippingservice #3153
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /src/productcatalogservice #3145

See the different comments below on this PR for all the details per service/app (what was done, the CVEs fixed, output of docker scout compare).

In addition to successfully going through the CI tests, successfully working locally with Docker Compose too:

[mathieu-benoit]

Details below to expand to see what was done related to the cartservice app:

cartservice - .NET 9 --> 10

.NET 10 was announced on Nov 11th 2025: https://devblogs.microsoft.com/dotnet/announcing-dotnet-10/.

Container images size locally on disk:

• cartservice:before: 61.7MB
• cartservice:after: 62.1MB (+0.4MB)

Fixing:

• -6 CVEs
• chore(deps): update dotnet monorepo to v10 (major) - autoclosed #3149

docker scout compare --to cartservice:before cartservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  cartservice:after                                   │  cartservice:before                                    
      digest          │  ca9a7528b5b6                                        │  69eceebdedd2                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  18f3b732934abd656dc013bac7327a95c762b21c            │  18f3b732934abd656dc013bac7327a95c762b21c             
      vulnerabilities │    0C     0H     0M     1L                           │    0C     0H     4M     3L                            
                      │                  -4     -2                           │                                                       
      size            │ 18 MB (+153 kB)                                      │ 18 MB                                                 
      packages        │ 9                                                    │ 9                                                     
                      │                                                      │                                                       
  
  ## Packages and Vulnerabilities

    ⎌    4 packages changed (↑ 4 upgraded, ↓ 0 downgraded)  
         5 packages unchanged
  
    - 6 vulnerabilities removed
  
  
     Package          Type  Version                Compared Version       
  
  ↑  base-files       deb   13ubuntu10.3           13ubuntu10.1           
     ca-certificates  deb   20240203               20240203               
     gcc-14           deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
     gcc-14-base      deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  libc6            deb   2.39-0ubuntu8.6        2.39-0ubuntu8.3        
     │   +  Dockerfile (33:33)  
     │   +  FROM mcr.microsoft.com/dotnet/runtime-deps:10.0.0-noble-chiseled@sha256:b857c8cb8d929183cfe4c6dd9994abba92a2639dd2dbaf06005379f815991604           
     │   -  Dockerfile (33:33)  
     │   -  FROM mcr.microsoft.com/dotnet/runtime-deps:9.0.1-noble-chiseled@sha256:6f7466eda39e24efaf7eab2325e15d776a685d13cc93b4ea0cde9ee4f7982210            
     │   
     ├─  -  MEDIUM       CVE-2025-8058   [https://scout.docker.com/v/CVE-2025-8058]        
     │                   0.0    
     ├─  -  MEDIUM       CVE-2025-5702   [https://scout.docker.com/v/CVE-2025-5702]        
     │                   0.0    
     └─  -  MEDIUM       CVE-2025-0395   [https://scout.docker.com/v/CVE-2025-0395]        
                         0.0    
  
     libgcc-s1        deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  libssl3t64       deb   3.0.13-0ubuntu3.6      3.0.13-0ubuntu3.4      
     libstdc++6       deb   14.2.0-4ubuntu2~24.04  14.2.0-4ubuntu2~24.04  
  ↑  openssl          deb   3.0.13-0ubuntu3.6      3.0.13-0ubuntu3.4      
     │   +  Dockerfile (33:33)  
     │   +  FROM mcr.microsoft.com/dotnet/runtime-deps:10.0.0-noble-chiseled@sha256:b857c8cb8d929183cfe4c6dd9994abba92a2639dd2dbaf06005379f815991604           
     │   -  Dockerfile (33:33)  
     │   -  FROM mcr.microsoft.com/dotnet/runtime-deps:9.0.1-noble-chiseled@sha256:6f7466eda39e24efaf7eab2325e15d776a685d13cc93b4ea0cde9ee4f7982210            
     │   
     ├─  -  MEDIUM       CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]    
     │                   0.0    
     ├─  -  LOW          CVE-2024-9143   [https://scout.docker.com/v/CVE-2024-9143]    
     │                   0.0    
     └─  -  LOW          CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]  
                         0.0

[mathieu-benoit]

Details below to expand to see what was done related to the checkoutservice app:

checkoutservice - Golang 1.23 --> 1.25

Golang 1.25 was announced on Aug 12th 2025: https://go.dev/blog/go1.25.

cd src/checkoutservice
go mod edit -go 1.25
go mod edit --toolchain 1.25.4
go get -t -u ./...
go get -u all
go mod tidy

Container images size locally on disk:

• checkoutservice:before: 35.5MB
• checkoutservice:after: 23.2MB (-12.3MB) --> thanks to -ldflags="-s -w"

Fixing:

• -20 CVEs
• fix(deps): update golang - autoclosed #2954
• Outdated Dependencies with Known Vulnerabilities #3158

docker scout compare --to checkoutservice:before checkoutservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  checkoutservice:after                               │  checkoutservice:init                                 
      digest          │  248fafb64df1                                        │  6fdc28ee810e                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  f4bf5fa2af7b9ae83772865e0b0ca2efd5fd355f            │  ebbb0ebcfd96a1956aa01e9064d6c83b664f11be             
      vulnerabilities │    0C     0H     0M     0L                           │    1C     5H    14M     0L                            
                      │    -1     -5    -14                                  │                                                       
      size            │ 12 MB (+80 kB)                                       │ 12 MB                                                 
      packages        │ 40 (-2)                                              │ 42                                                    
                      │                                                      │                                                       
  
  ## Environment Variables
  
      GOTRACEBACK=single
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  
  ## Packages and Vulnerabilities
  
    -    2 packages removed  
    ⎌   26 packages changed (↑ 26 upgraded, ↓ 0 downgraded)  
        11 packages unchanged
  
    - 20 vulnerabilities removed
  
     Package                                                                      Type    Version                            Compared Version                   
  
  ↑  cloud.google.com/go                                                          golang  0.121.2                            0.116.0                            
  ↑  cloud.google.com/go/auth/oauth2adapt                                         golang  0.2.8                              0.2.6                              
  ↑  cloud.google.com/go/compute/metadata                                         golang  0.9.0                              0.6.0                              
     cloud.google.com/go/profiler                                                 golang  0.4.2                              0.4.2                              
     github.com/cenkalti/backoff/v4                                               golang  4.3.0                              4.3.0                              
  ↑  github.com/go-logr/logr                                                      golang  1.4.3                              1.4.2                              
     github.com/go-logr/stdr                                                      golang  1.2.2                              1.2.2                              
  -  github.com/golang/groupcache                                                 golang                                     0.0.0-20210331224755-41bb18bfe9da  
  ↑  github.com/google/pprof                                                      golang  0.0.0-20251114195745-4902fdda35c8  0.0.0-20240903155634-a8630aee4ab9  
  ↑  github.com/google/s2a-go                                                     golang  0.1.9                              0.1.8                              
     github.com/google/uuid                                                       golang  1.6.0                              1.6.0                              
  ↑  github.com/googleapis/enterprise-certificate-proxy                           golang  0.3.7                              0.3.4                              
  ↑  github.com/googleapis/gax-go/v2                                              golang  2.14.2                             2.14.0                             
     github.com/googlecloudplatform/microservices-demo/src/checkoutservice        golang  UNKNOWN                            UNKNOWN                            
  ↑  github.com/grpc-ecosystem/grpc-gateway/v2                                    golang  2.27.1                             2.26.1                             
     github.com/pkg/errors                                                        golang  0.9.1                              0.9.1                              
     github.com/sirupsen/logrus                                                   golang  1.9.3                              1.9.3                              
  -  go.opencensus.io                                                             golang                                     0.24.0                             
     go.opentelemetry.io/auto/sdk                                                 golang  1.1.0                              1.1.0                              
     go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  golang  0.60.0                             0.60.0                             
  ↑  go.opentelemetry.io/otel                                                     golang  1.38.0                             1.35.0                             
     go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc              golang  1.35.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/metric                                              golang  1.38.0                             1.35.0                             
     go.opentelemetry.io/otel/sdk                                                 golang  1.35.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/trace                                               golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/proto/otlp                                               golang  1.7.0                              1.5.0                              
  ↑  golang.org/x/crypto                                                          golang  0.45.0                             0.36.0                             
     │   +  Dockerfile (33:33)  
     │   +  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   -  Dockerfile (33:33)  
     │   -  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   
     ├─  -  HIGH         CVE-2025-47913  [https://scout.docker.com/v/CVE-2025-47913]  
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-58181  [https://scout.docker.com/v/CVE-2025-58181]  
     │                   5.3  Allocation of Resources Without Limits or Throttling  
     └─  -  MEDIUM       CVE-2025-47914  [https://scout.docker.com/v/CVE-2025-47914]  
                         5.3  Out-of-bounds Read                                    
  
  ↑  golang.org/x/net                                                             golang  0.47.0                             0.38.0                             
  ↑  golang.org/x/oauth2                                                          golang  0.33.0                             0.27.0                             
  ↑  golang.org/x/sync                                                            golang  0.18.0                             0.12.0                             
  ↑  golang.org/x/sys                                                             golang  0.38.0                             0.31.0                             
  ↑  golang.org/x/text                                                            golang  0.31.0                             0.23.0                             
  ↑  golang.org/x/time                                                            golang  0.14.0                             0.8.0                              
  ↑  google.golang.org/api                                                        golang  0.236.0                            0.210.0                            
  ↑  google.golang.org/genproto                                                   golang  0.0.0-20250603155806-513f23925822  0.0.0-20241118233622-e639e219e697  
  ↑  google.golang.org/genproto/googleapis/rpc                                    golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250218202821-56aae31c358a  
  ↑  google.golang.org/grpc                                                       golang  1.74.0-dev                         1.71.0                             
  ↑  google.golang.org/protobuf                                                   golang  1.36.10                            1.36.6                             
  ↑  stdlib                                                                       golang  1.25.4                             1.23.4                             
     │   +  Dockerfile (33:33)  
     │   +  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   -  Dockerfile (33:33)  
     │   -  COPY --from=builder /checkoutservice /src/checkoutservice                                                                                          
     │   
     ├─  -  CRITICAL     CVE-2025-22871  [https://scout.docker.com/v/CVE-2025-22871]                    
     │                   9.1                                                        
     ├─  -  HIGH         CVE-2025-61725  [https://scout.docker.com/v/CVE-2025-61725]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-61723  [https://scout.docker.com/v/CVE-2025-61723]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58188  [https://scout.docker.com/v/CVE-2025-58188]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58187  [https://scout.docker.com/v/CVE-2025-58187]                    
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-4673   [https://scout.docker.com/v/CVE-2025-4673]                     
     │                   6.8                                                        
     ├─  -  MEDIUM       CVE-2025-47906  [https://scout.docker.com/v/CVE-2025-47906]                   
     │                   6.5                                                        
     ├─  -  MEDIUM       CVE-2024-45341  [https://scout.docker.com/v/CVE-2024-45341]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2024-45336  [https://scout.docker.com/v/CVE-2024-45336]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2025-0913   [https://scout.docker.com/v/CVE-2025-0913]                     
     │                   5.5                                                        
     ├─  -  MEDIUM       CVE-2025-61724  [https://scout.docker.com/v/CVE-2025-61724]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58189  [https://scout.docker.com/v/CVE-2025-58189]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58186  [https://scout.docker.com/v/CVE-2025-58186]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58185  [https://scout.docker.com/v/CVE-2025-58185]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-47912  [https://scout.docker.com/v/CVE-2025-47912]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58183  [https://scout.docker.com/v/CVE-2025-58183]                    
     │                   4.3                                                        
     └─  -  MEDIUM       CVE-2025-22866  [https://scout.docker.com/v/CVE-2025-22866]   
                         4.0

[mathieu-benoit]

Details below to expand to see what was done related to the frontend app:

frontend - Golang 1.23 --> 1.25

Golang 1.25 was announced on Aug 12th 2025: https://go.dev/blog/go1.25.

cd src/frontend
go mod edit -go 1.25
go mod edit --toolchain 1.25.4
go get -t -u ./...
go get -u all
go mod tidy

Container images size locally on disk:

• frontend:before: 48.2MB
• frontend:after: 34.2MB (-14MB) --> thanks to -ldflags="-s -w"

Fixing:

• -20 CVEs
• fix(deps): update golang - autoclosed #2954
• Outdated Dependencies with Known Vulnerabilities #3158

docker scout compare --to frontend:before frontend:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  frontend:after                                      │  frontend:before                                      
      digest          │  dfadcdcbbd2c                                        │  ce0e0ea4a670                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  5fd09a2bc3869b680262526a1c3236ffc52fd666            │  a25d4066e5f58f246745fdbb53c97e2dedfae3ff             
      vulnerabilities │    0C     0H     0M     0L                           │    1C     5H    14M     0L                            
                      │    -1     -5    -14                                  │                                                       
      size            │ 11 MB (-6.3 MB)                                      │ 17 MB                                                 
      packages        │ 48 (-2)                                              │ 50                                                    
                      │                                                      │                                                       

  ## Packages and Vulnerabilities
  
    -    2 packages removed  
    ⎌   34 packages changed (↑ 34 upgraded, ↓ 0 downgraded)  
        10 packages unchanged
  
    - 20 vulnerabilities removed
  
     Package                                                          Type    Version                            Compared Version                   
  
  ↑  cloud.google.com/go                                              golang  0.123.0                            0.116.0                            
  ↑  cloud.google.com/go/auth/oauth2adapt                             golang  0.2.8                              0.2.6                              
  ↑  cloud.google.com/go/compute/metadata                             golang  0.9.0                              0.6.0                              
  ↑  cloud.google.com/go/profiler                                     golang  0.4.3                              0.4.2                              
  ↑  github.com/cenkalti/backoff/v5                                   golang  5.0.3                              4.3.0                              
     github.com/felixge/httpsnoop                                     golang  1.0.4                              1.0.4                              
  ↑  github.com/gabriel-vasile/mimetype                               golang  1.4.11                             1.4.8                              
  ↑  github.com/go-logr/logr                                          golang  1.4.3                              1.4.2                              
     github.com/go-logr/stdr                                          golang  1.2.2                              1.2.2                              
     github.com/go-playground/locales                                 golang  0.14.1                             0.14.1                             
     github.com/go-playground/universal-translator                    golang  0.18.1                             0.18.1                             
  ↑  github.com/go-playground/validator/v10                           golang  10.28.0                            10.25.0                            
  -  github.com/golang/groupcache                                     golang                                     0.0.0-20210331224755-41bb18bfe9da  
  ↑  github.com/google/pprof                                          golang  0.0.0-20251114195745-4902fdda35c8  0.0.0-20240903155634-a8630aee4ab9  
  ↑  github.com/google/s2a-go                                         golang  0.1.9                              0.1.8                              
     github.com/google/uuid                                           golang  1.6.0                              1.6.0                              
  ↑  github.com/googleapis/enterprise-certificate-proxy               golang  0.3.7                              0.3.4                              
  ↑  github.com/googleapis/gax-go/v2                                  golang  2.15.0                             2.14.0                             
     github.com/googlecloudplatform/microservices-demo/src/frontend   golang  UNKNOWN                            UNKNOWN                            
     github.com/gorilla/mux                                           golang  1.8.1                              1.8.1                              
  ↑  github.com/grpc-ecosystem/grpc-gateway/v2                        golang  2.27.3                             2.26.1                             
     github.com/leodido/go-urn                                        golang  1.4.0                              1.4.0                              
     github.com/pkg/errors                                            golang  0.9.1                              0.9.1                              
     github.com/sirupsen/logrus                                       golang  1.9.3                              1.9.3                              
  -  go.opencensus.io                                                 golang                                     0.24.0                             
  ↑  go.opentelemetry.io/auto/sdk                                     golang  1.2.1                              1.1.0                              
  ↑  go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp    golang  0.63.0                             0.60.0                             
  ↑  go.opentelemetry.io/otel                                         golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc  golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/metric                                  golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/sdk                                     golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/trace                                   golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/proto/otlp                                   golang  1.9.0                              1.5.0                              
  ↑  golang.org/x/crypto                                              golang  0.45.0                             0.36.0                             
     │   +  Dockerfile (33:33)  
     │   +  COPY ./static ./static                                                                                                                             
     │   -  Dockerfile (33:33)  
     │   -  COPY ./static ./static                                                                                                                             
     │   
     ├─  -  HIGH         CVE-2025-47913  [https://scout.docker.com/v/CVE-2025-47913]  
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-58181  [https://scout.docker.com/v/CVE-2025-58181]  
     │                   5.3  Allocation of Resources Without Limits or Throttling  
     └─  -  MEDIUM       CVE-2025-47914  [https://scout.docker.com/v/CVE-2025-47914]  
                         5.3  Out-of-bounds Read                                    
  
  ↑  golang.org/x/net                                                 golang  0.47.0                             0.38.0                             
  ↑  golang.org/x/oauth2                                              golang  0.33.0                             0.27.0                             
  ↑  golang.org/x/sync                                                golang  0.18.0                             0.12.0                             
  ↑  golang.org/x/sys                                                 golang  0.38.0                             0.31.0                             
  ↑  golang.org/x/text                                                golang  0.31.0                             0.23.0                             
  ↑  golang.org/x/time                                                golang  0.14.0                             0.8.0                              
  ↑  google.golang.org/api                                            golang  0.256.0                            0.210.0                            
  ↑  google.golang.org/genproto                                       golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20241118233622-e639e219e697  
  ↑  google.golang.org/genproto/googleapis/rpc                        golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250218202821-56aae31c358a  
  ↑  google.golang.org/grpc                                           golang  1.77.0                             1.71.0                             
  ↑  google.golang.org/protobuf                                       golang  1.36.10                            1.36.6                             
  ↑  stdlib                                                           golang  1.25.4                             1.23.4                             
     │   +  Dockerfile (33:33)  
     │   +  COPY ./static ./static                                                                                                                             
     │   -  Dockerfile (33:33)  
     │   -  COPY ./static ./static                                                                                                                             
     │   
     ├─  -  CRITICAL     CVE-2025-22871  [https://scout.docker.com/v/CVE-2025-22871]                    
     │                   9.1                                                        
     ├─  -  HIGH         CVE-2025-61725  [https://scout.docker.com/v/CVE-2025-61725]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-61723  [https://scout.docker.com/v/CVE-2025-61723]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58188  [https://scout.docker.com/v/CVE-2025-58188]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58187  [https://scout.docker.com/v/CVE-2025-58187]                    
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-4673   [https://scout.docker.com/v/CVE-2025-4673]                     
     │                   6.8                                                        
     ├─  -  MEDIUM       CVE-2025-47906  [https://scout.docker.com/v/CVE-2025-47906]                   
     │                   6.5                                                        
     ├─  -  MEDIUM       CVE-2024-45341  [https://scout.docker.com/v/CVE-2024-45341]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2024-45336  [https://scout.docker.com/v/CVE-2024-45336]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2025-0913   [https://scout.docker.com/v/CVE-2025-0913]                     
     │                   5.5                                                        
     ├─  -  MEDIUM       CVE-2025-61724  [https://scout.docker.com/v/CVE-2025-61724]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58189  [https://scout.docker.com/v/CVE-2025-58189]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58186  [https://scout.docker.com/v/CVE-2025-58186]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58185  [https://scout.docker.com/v/CVE-2025-58185]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-47912  [https://scout.docker.com/v/CVE-2025-47912]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58183  [https://scout.docker.com/v/CVE-2025-58183]                    
     │                   4.3                                                        
     └─  -  MEDIUM       CVE-2025-22866  [https://scout.docker.com/v/CVE-2025-22866]   
                         4.0

[mathieu-benoit]

Details below to expand to see what was done related to the productcatalogservice app:

productcatalogservice - Golang 1.23 --> 1.25

Golang 1.25 was announced on Aug 12th 2025: https://go.dev/blog/go1.25.

cd src/productcatalogservice
go mod edit -go 1.25
go mod edit --toolchain 1.25.4
go get -t -u ./...
go get -u all
go mod tidy

Container images size locally on disk:

• productcatalogservice:before: 51.7MB
• productcatalogservice:after: 33.9MB (-17.8MB) --> thanks to -ldflags="-s -w"

Fixing:

• -20 CVEs
• fix(deps): update golang - autoclosed #2954
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /src/productcatalogservice #3145

docker scout compare --to productcatalogservice:before productcatalogservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  productcatalogservice:after                         │  productcatalogservice:init                           
      digest          │  e4df1a558ebd                                        │  068af62e7cb7                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  5fd09a2bc3869b680262526a1c3236ffc52fd666            │  a25d4066e5f58f246745fdbb53c97e2dedfae3ff             
      vulnerabilities │    0C     0H     0M     0L                           │    1C     5H    14M     0L                            
                      │    -1     -5    -14                                  │                                                       
      size            │ 8.7 MB (-7.7 MB)                                     │ 16 MB                                                 
      packages        │ 58                                                   │ 58                                                    
                      │                                                      │                                                       
  
 ## Packages and Vulnerabilities
  
    ⎌   40 packages changed (↑ 40 upgraded, ↓ 0 downgraded)  
        12 packages unchanged
  
    - 20 vulnerabilities removed
  
     Package                                                                              Type    Version                            Compared Version                   
  
  ↑  cloud.google.com/go                                                                  golang  0.123.0                            0.118.3                            
  ↑  cloud.google.com/go/alloydb                                                          golang  1.19.0                             1.14.1                             
  ↑  cloud.google.com/go/alloydbconn                                                      golang  1.17.0                             1.15.0                             
  ↑  cloud.google.com/go/auth/oauth2adapt                                                 golang  0.2.8                              0.2.7                              
  ↑  cloud.google.com/go/compute/metadata                                                 golang  0.9.0                              0.6.0                              
  ↑  cloud.google.com/go/iam                                                              golang  1.5.3                              1.4.1                              
  ↑  cloud.google.com/go/longrunning                                                      golang  0.7.0                              0.6.4                              
  ↑  cloud.google.com/go/monitoring                                                       golang  1.24.3                             1.24.0                             
  ↑  cloud.google.com/go/profiler                                                         golang  0.4.3                              0.4.2                              
  ↑  cloud.google.com/go/secretmanager                                                    golang  1.16.0                             1.14.6                             
  ↑  github.com/cenkalti/backoff/v5                                                       golang  5.0.3                              4.3.0                              
     github.com/felixge/httpsnoop                                                         golang  1.0.4                              1.0.4                              
  ↑  github.com/go-logr/logr                                                              golang  1.4.3                              1.4.2                              
     github.com/go-logr/stdr                                                              golang  1.2.2                              1.2.2                              
  ↑  github.com/golang/groupcache                                                         golang  0.0.0-20241129210726-2c02b8208cf8  0.0.0-20210331224755-41bb18bfe9da  
     github.com/golang/protobuf                                                           golang  1.5.4                              1.5.4                              
  ↑  github.com/google/pprof                                                              golang  0.0.0-20251114195745-4902fdda35c8  0.0.0-20240903155634-a8630aee4ab9  
     github.com/google/s2a-go                                                             golang  0.1.9                              0.1.9                              
     github.com/google/uuid                                                               golang  1.6.0                              1.6.0                              
  ↑  github.com/googleapis/enterprise-certificate-proxy                                   golang  0.3.7                              0.3.5                              
  ↑  github.com/googleapis/gax-go/v2                                                      golang  2.15.0                             2.14.1                             
     github.com/googlecloudplatform/microservices-demo/src/productcatalogservice          golang  UNKNOWN                            UNKNOWN                            
  ↑  github.com/googlecloudplatform/opentelemetry-operations-go/internal/resourcemapping  golang  0.54.0                             0.51.0                             
  ↑  github.com/grpc-ecosystem/grpc-gateway/v2                                            golang  2.27.3                             2.26.1                             
     github.com/jackc/pgpassfile                                                          golang  1.0.0                              1.0.0                              
     github.com/jackc/pgservicefile                                                       golang  0.0.0-20240606120523-5a60cdf6a761  0.0.0-20240606120523-5a60cdf6a761  
  ↑  github.com/jackc/pgx/v5                                                              golang  5.7.6                              5.7.4                              
     github.com/jackc/puddle/v2                                                           golang  2.2.2                              2.2.2                              
     github.com/pkg/errors                                                                golang  0.9.1                              0.9.1                              
     github.com/sirupsen/logrus                                                           golang  1.9.3                              1.9.3                              
     go.opencensus.io                                                                     golang  0.24.0                             0.24.0                             
  ↑  go.opentelemetry.io/auto/sdk                                                         golang  1.2.1                              1.1.0                              
  ↑  go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp                        golang  0.63.0                             0.60.0                             
  ↑  go.opentelemetry.io/otel                                                             golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc                      golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/metric                                                      golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/sdk/metric                                                  golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/otel/trace                                                       golang  1.38.0                             1.35.0                             
  ↑  go.opentelemetry.io/proto/otlp                                                       golang  1.9.0                              1.5.0                              
  ↑  golang.org/x/crypto                                                                  golang  0.45.0                             0.36.0                             
     │   +  Dockerfile (34:34)  
     │   +  COPY products.json .                                                                                                                               
     │   -  Dockerfile (34:34)  
     │   -  COPY products.json .                                                                                                                               
     │   
     ├─  -  HIGH         CVE-2025-47913  [https://scout.docker.com/v/CVE-2025-47913]  
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-58181  [https://scout.docker.com/v/CVE-2025-58181]  
     │                   5.3  Allocation of Resources Without Limits or Throttling  
     └─  -  MEDIUM       CVE-2025-47914  [https://scout.docker.com/v/CVE-2025-47914]  
                         5.3  Out-of-bounds Read                                    
  
  ↑  golang.org/x/net                                                                     golang  0.47.0                             0.38.0                             
  ↑  golang.org/x/oauth2                                                                  golang  0.33.0                             0.28.0                             
  ↑  golang.org/x/sync                                                                    golang  0.18.0                             0.12.0                             
  ↑  golang.org/x/sys                                                                     golang  0.38.0                             0.31.0                             
  ↑  golang.org/x/text                                                                    golang  0.31.0                             0.23.0                             
  ↑  golang.org/x/time                                                                    golang  0.14.0                             0.11.0                             
  ↑  google.golang.org/api                                                                golang  0.256.0                            0.224.0                            
  ↑  google.golang.org/genproto                                                           golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250303144028-a0af3efb3deb  
  ↑  google.golang.org/genproto/googleapis/rpc                                            golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250303144028-a0af3efb3deb  
  ↑  google.golang.org/grpc                                                               golang  1.77.0                             1.71.0                             
  ↑  google.golang.org/protobuf                                                           golang  1.36.10                            1.36.6                             
  ↑  stdlib                                                                               golang  1.25.4                             1.23.4                             
     │   +  Dockerfile (34:34)  
     │   +  COPY products.json .                                                                                                                               
     │   -  Dockerfile (34:34)  
     │   -  COPY products.json .                                                                                                                               
     │   
     ├─  -  CRITICAL     CVE-2025-22871  [https://scout.docker.com/v/CVE-2025-22871]                    
     │                   9.1                                                        
     ├─  -  HIGH         CVE-2025-61725  [https://scout.docker.com/v/CVE-2025-61725]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-61723  [https://scout.docker.com/v/CVE-2025-61723]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58188  [https://scout.docker.com/v/CVE-2025-58188]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58187  [https://scout.docker.com/v/CVE-2025-58187]                    
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-4673   [https://scout.docker.com/v/CVE-2025-4673]                     
     │                   6.8                                                        
     ├─  -  MEDIUM       CVE-2025-47906  [https://scout.docker.com/v/CVE-2025-47906]                   
     │                   6.5                                                        
     ├─  -  MEDIUM       CVE-2024-45341  [https://scout.docker.com/v/CVE-2024-45341]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2024-45336  [https://scout.docker.com/v/CVE-2024-45336]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2025-0913   [https://scout.docker.com/v/CVE-2025-0913]                     
     │                   5.5                                                        
     ├─  -  MEDIUM       CVE-2025-61724  [https://scout.docker.com/v/CVE-2025-61724]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58189  [https://scout.docker.com/v/CVE-2025-58189]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58186  [https://scout.docker.com/v/CVE-2025-58186]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58185  [https://scout.docker.com/v/CVE-2025-58185]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-47912  [https://scout.docker.com/v/CVE-2025-47912]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58183  [https://scout.docker.com/v/CVE-2025-58183]                    
     │                   4.3                                                        
     └─  -  MEDIUM       CVE-2025-22866  [https://scout.docker.com/v/CVE-2025-22866]   
                         4.0

[mathieu-benoit]

Details below to expand to see what was done related to the adservice app:

adservice

No significant changes, just speed up build time

Container images size locally on disk:

• adservice:before: 380MB
• adservice:after: 381MB (+1MB)

docker scout compare --to adservice:before adservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  adservice:after                                     │  adservice:before                                     
      digest          │  6baa418f936f                                        │  6363a67d0f53                                         
      tag             │  latest                                              │  before                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  5e90f1aa0bcc8e9e11011ec9af2d282b701fc449            │  5fd09a2bc3869b680262526a1c3236ffc52fd666             
      vulnerabilities │    0C     2H     4M     3L                           │    0C     2H     4M     3L                            
                      │                                                      │                                                       
      size            │ 109 MB (+12 kB)                                      │ 109 MB                                                
      packages        │ 101 (-10)                                            │ 111                                                   
                      │                                                      │                                                       
    Base image        │  eclipse-temurin:25.0.1_8-jre-alpine                 │  eclipse-temurin:25-jre-alpine                        
      tags            │ also known as                                        │ also known as                                         
                      │   • 25-jre-alpine                                    │   • 25-jre-alpine-3.22                                
                      │   • 25-jre-alpine-3.22                               │                                                       
                      │   • 25.0.1_8-jre-alpine-3.22                         │                                                       
      vulnerabilities │    0C     2H     3M     2L                           │    0C     2H     3M     2L                            
  
  ## Packages and Vulnerabilities
  
  
    +    1 packages added  
    -   11 packages removed  
    ⎌    1 packages changed (↑ 1 upgraded, ↓ 0 downgraded)  
        98 packages unchanged
  
     Package                                                          Type     Version                                    Compared Version                           
  
  -  acl                                                              apk                                                 2.3.2-r1                                   
     acl-libs                                                         apk      2.3.2-r1                                   2.3.2-r1                                   
  -  alpine-base                                                      apk                                                 3.22.2-r0                                  
     alpine-baselayout                                                apk      3.7.0-r0                                   3.7.0-r0                                   
     alpine-baselayout-data                                           apk      3.7.0-r0                                   3.7.0-r0                                   
     alpine-keys                                                      apk      2.5-r0                                     2.5-r0                                     
     alpine-release                                                   apk      3.22.2-r0                                  3.22.2-r0                                  
     apk-tools                                                        apk      2.14.9-r3                                  2.14.9-r3                                  
  -  attr                                                             apk                                                 2.5.2-r2                                   
     biz.aQute.bnd/biz.aQute.bnd.annotation                           maven    7.1.0                                      7.1.0                                      
  -  brotli                                                           apk                                                 1.1.0-r2                                   
     brotli-libs                                                      apk      1.1.0-r2                                   1.1.0-r2                                   
     busybox                                                          apk      1.37.0-r19                                 1.37.0-r19                                 
     ├─  -  LOW          CVE-2025-46394  [https://scout.docker.com/v/CVE-2025-46394]  
     │                   3.2    
     └─  -  LOW          CVE-2024-58251  [https://scout.docker.com/v/CVE-2024-58251]  
                         2.5    
  
     busybox-binsh                                                    apk      1.37.0-r19                                 1.37.0-r19                                 
  -  bzip2                                                            apk                                                 1.0.8-r6                                   
     ca-certificates                                                  apk      20250911-r0                                20250911-r0                                
     ca-certificates-bundle                                           apk      20250911-r0                                20250911-r0                                
     com.fasterxml.jackson.core/jackson-annotations                   maven    2.20                                       2.20                                       
     com.fasterxml.jackson.core/jackson-core                          maven    2.20.1                                     2.20.1                                     
     com.fasterxml.jackson.core/jackson-databind                      maven    2.20.1                                     2.20.1                                     
     com.github.spotbugs.annotations/spotbugs-annotations             maven    4.8.6                                      4.8.6                                      
     com.google.android/annotations                                   maven    4.1.1.4                                    4.1.1.4                                    
     com.google.api.grpc/proto-google-common-protos                   maven    2.63.1                                     2.63.1                                     
     com.google.code.findbugs/jsr305                                  maven    3.0.2                                      3.0.2                                      
     com.google.code.gson/gson                                        maven    2.11.0                                     2.11.0                                     
     com.google.errorprone/error_prone_annotations                    maven    2.38.0                                     2.38.0                                     
     com.google.guava/failureaccess                                   maven    1.0.3                                      1.0.3                                      
     com.google.guava/guava                                           maven    33.4.8-jre                                 33.4.8-jre                                 
     com.google.guava/listenablefuture                                maven    9999.0-empty-to-avoid-conflict-with-guava  9999.0-empty-to-avoid-conflict-with-guava  
     com.google.j2objc/j2objc-annotations                             maven    3.0.0                                      3.0.0                                      
     com.google.protobuf.util/protobuf-java-util                      maven    3.25.8                                     3.25.8                                     
     com.google.protobuf/protobuf-java                                maven    4.33.1                                     4.33.1                                     
     coreutils                                                        apk      9.7-r1                                     9.7-r1                                     
     coreutils-env                                                    apk      9.7-r1                                     9.7-r1                                     
     coreutils-fmt                                                    apk      9.7-r1                                     9.7-r1                                     
     coreutils-sha512sum                                              apk      9.7-r1                                     9.7-r1                                     
     encodings                                                        apk      1.0.7-r1                                   1.0.7-r1                                   
  -  expat                                                            apk                                                 2.7.3-r0                                   
     font-dejavu                                                      apk      2.37-r6                                    2.37-r6                                    
     fontconfig                                                       apk      2.15.0-r3                                  2.15.0-r3                                  
     freetype                                                         apk      2.13.3-r0                                  2.13.3-r0                                  
  -  gettext                                                          apk                                                 0.24.1-r0                                  
     grpc-context/grpc-context                                        maven    1.76.0                                     1.76.0                                     
     hipstershop/hipstershop                                          maven    0.1.0-SNAPSHOT                             0.1.0-SNAPSHOT                             
     io.grpc.census/grpc-census                                       maven    1.76.0                                     1.76.0                                     
     io.grpc.internal/grpc-core                                       maven    1.76.0                                     1.76.0                                     
     io.grpc.netty/grpc-netty                                         maven    1.76.0                                     1.76.0                                     
     io.grpc.protobuf.lite/grpc-protobuf-lite                         maven    1.76.0                                     1.76.0                                     
     io.grpc.protobuf/grpc-protobuf                                   maven    1.76.0                                     1.76.0                                     
     io.grpc.services/grpc-services                                   maven    1.76.0                                     1.76.0                                     
     io.grpc.stub/grpc-stub                                           maven    1.76.0                                     1.76.0                                     
     io.grpc.util/grpc-util                                           maven    1.76.0                                     1.76.0                                     
     io.grpc/grpc-api                                                 maven    1.76.0                                     1.76.0                                     
     io.netty/netty-buffer                                            maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-codec                                             maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-codec-http                                        maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-codec-http2                                       maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-codec-socks                                       maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-common                                            maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-handler                                           maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-handler-proxy                                     maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-resolver                                          maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-tcnative-boringssl-static                         maven    2.0.74.Final                               2.0.74.Final                               
     io.netty/netty-tcnative-classes                                  maven    2.0.74.Final                               2.0.74.Final                               
     io.netty/netty-transport                                         maven    4.1.124.Final                              4.1.124.Final                              
     io.netty/netty-transport-native-unix-common                      maven    4.1.124.Final                              4.1.124.Final                              
     io.perfmark/perfmark-api                                         maven    0.27.0                                     0.27.0                                     
     javax.annotation/javax.annotation-api                            maven    1.3.2                                      1.3.2                                      
  ↑  jrt-fs/jrt-fs                                                    maven    25.0.1                                     25                                         
     libapk2                                                          apk      2.14.9-r3                                  2.14.9-r3                                  
     libattr                                                          apk      2.5.2-r2                                   2.5.2-r2                                   
     libbz2                                                           apk      1.0.8-r6                                   1.0.8-r6                                   
     libcrypto3                                                       apk      3.5.4-r0                                   3.5.4-r0                                   
     libexpat                                                         apk      2.7.3-r0                                   2.7.3-r0                                   
     libffi                                                           apk      3.4.8-r0                                   3.4.8-r0                                   
     libfontenc                                                       apk      1.1.8-r0                                   1.1.8-r0                                   
     libintl                                                          apk      0.24.1-r0                                  0.24.1-r0                                  
     libpng                                                           apk      1.6.47-r0                                  1.6.47-r0                                  
     libssl3                                                          apk      3.5.4-r0                                   3.5.4-r0                                   
     libtasn1                                                         apk      4.20.0-r0                                  4.20.0-r0                                  
     mkfontscale                                                      apk      1.2.3-r1                                   1.2.3-r1                                   
     musl                                                             apk      1.2.5-r10                                  1.2.5-r10                                  
     musl-locales                                                     apk      0.1.0-r1                                   0.1.0-r1                                   
     musl-locales-lang                                                apk      0.1.0-r1                                   0.1.0-r1                                   
     musl-utils                                                       apk      1.2.5-r10                                  1.2.5-r10                                  
     opencensus-api/opencensus-api                                    maven    0.31.1                                     0.31.1                                     
     opencensus-contrib-grpc-metrics/opencensus-contrib-grpc-metrics  maven    0.31.1                                     0.31.1                                     
  +  openjdk                                                          generic  25.0.1+8-LTS                                                                          
  -  openjdk                                                          generic                                             25+36-LTS                                  
     openssl                                                          apk      3.5.4-r0                                   3.5.4-r0                                   
     org.apache.logging.log4j/log4j-api                               maven    2.25.2                                     2.25.2                                     
     org.apache.logging.log4j/log4j-core                              maven    2.25.2                                     2.25.2                                     
     org.codehaus.mojo/animal-sniffer-annotations                     maven    1.24                                       1.24                                       
     org.gradle.wrapper.GradleWrapperMain/gradle-wrapper              maven    UNKNOWN                                    UNKNOWN                                    
     org.jctools/jctools-core                                         maven    4.0.5                                      4.0.5                                      
     org.jspecify.jspecify/jspecify                                   maven    1.0.0                                      1.0.0                                      
     org.osgi.resource/resource                                       maven    1.0.0                                      1.0.0                                      
     org.osgi.service.serviceloader/serviceloader                     maven    1.0.0                                      1.0.0                                      
     org.osgi/org.osgi.annotation.bundle                              maven    2.0.0                                      2.0.0                                      
     org.osgi/org.osgi.annotation.versioning                          maven    1.1.2                                      1.1.2                                      
     p11-kit                                                          apk      0.25.5-r2                                  0.25.5-r2                                  
     p11-kit-trust                                                    apk      0.25.5-r2                                  0.25.5-r2                                  
  -  pax-utils                                                        apk                                                 1.3.8-r1                                   
     scanelf                                                          apk      1.3.8-r1                                   1.3.8-r1                                   
  -  skalibs                                                          apk                                                 2.14.4.0-r0                                
     skalibs-libs                                                     apk      2.14.4.0-r0                                2.14.4.0-r0                                
     ssl_client                                                       apk      1.37.0-r19                                 1.37.0-r19                                 
     ├─  +  LOW          CVE-2025-46394  [https://scout.docker.com/v/CVE-2025-46394]  
     │                   3.2    
     │                   ✓ fixed in  1.37.0-r20   
     └─  +  LOW          CVE-2024-58251  [https://scout.docker.com/v/CVE-2024-58251]  
                         2.5    
                         ✓ fixed in  1.37.0-r20   
  
     tzdata                                                           apk      2025b-r0                                   2025b-r0                                   
  -  utmps                                                            apk                                                 0.1.3.1-r0                                 
     utmps-libs                                                       apk      0.1.3.1-r0                                 0.1.3.1-r0                                 
     zlib                                                             apk      1.3.1-r2                                   1.3.1-r2

[mathieu-benoit]

Details below to expand to see what was done related to the shippingservice app:

shippingservice - Golang 1.23 --> 1.25

Golang 1.25 was announced on Aug 12th 2025: https://go.dev/blog/go1.25.

cd src/shippingservice
go mod edit -go 1.25
go mod edit --toolchain 1.25.4
go get -t -u ./...
go get -u all
go mod tidy

Container images size locally on disk:

• shippingservice:before: 34.1MB
• shippingservice:after: 22.4MB (-11.7MB) --> thanks to -ldflags="-s -w"

Fixing:

• -20 CVEs
• fix(deps): update golang - autoclosed #2954
• chore(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /src/shippingservice #3153

docker scout compare --to shippingservice:before shippingservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  shippingservice:after                               │  shippingservice:init                                 
      digest          │  67e45f16fddf                                        │  d2f2f066d94f                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  5fd09a2bc3869b680262526a1c3236ffc52fd666            │  a25d4066e5f58f246745fdbb53c97e2dedfae3ff             
      vulnerabilities │    0C     0H     0M     0L                           │    1C     5H    14M     0L                            
                      │    -1     -5    -14                                  │                                                       
      size            │ 6.2 MB (-5.3 MB)                                     │ 12 MB                                                 
      packages        │ 32 (-2)                                              │ 34                                                    
                      │                                                      │                                                       
  
  ## Packages and Vulnerabilities
  
    -    2 packages removed  
    ⎌   27 packages changed (↑ 27 upgraded, ↓ 0 downgraded)  
         3 packages unchanged
  
    - 20 vulnerabilities removed
  
     Package                                                                      Type    Version                            Compared Version                   
  
  ↑  cloud.google.com/go                                                          golang  0.123.0                            0.116.0                            
  ↑  cloud.google.com/go/auth/oauth2adapt                                         golang  0.2.8                              0.2.6                              
  ↑  cloud.google.com/go/compute/metadata                                         golang  0.9.0                              0.6.0                              
  ↑  cloud.google.com/go/profiler                                                 golang  0.4.3                              0.4.2                              
  ↑  github.com/go-logr/logr                                                      golang  1.4.3                              1.4.2                              
     github.com/go-logr/stdr                                                      golang  1.2.2                              1.2.2                              
  -  github.com/golang/groupcache                                                 golang                                     0.0.0-20210331224755-41bb18bfe9da  
  ↑  github.com/google/pprof                                                      golang  0.0.0-20251114195745-4902fdda35c8  0.0.0-20240903155634-a8630aee4ab9  
  ↑  github.com/google/s2a-go                                                     golang  0.1.9                              0.1.8                              
  ↑  github.com/googleapis/enterprise-certificate-proxy                           golang  0.3.7                              0.3.4                              
  ↑  github.com/googleapis/gax-go/v2                                              golang  2.15.0                             2.14.0                             
     github.com/googlecloudplatform/microservices-demo/src/shippingservice        golang  UNKNOWN                            UNKNOWN                            
     github.com/sirupsen/logrus                                                   golang  1.9.3                              1.9.3                              
  -  go.opencensus.io                                                             golang                                     0.24.0                             
  ↑  go.opentelemetry.io/auto/sdk                                                 golang  1.2.1                              1.1.0                              
  ↑  go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc  golang  0.63.0                             0.54.0                             
  ↑  go.opentelemetry.io/otel                                                     golang  1.38.0                             1.34.0                             
  ↑  go.opentelemetry.io/otel/metric                                              golang  1.38.0                             1.34.0                             
  ↑  go.opentelemetry.io/otel/trace                                               golang  1.38.0                             1.34.0                             
  ↑  golang.org/x/crypto                                                          golang  0.45.0                             0.36.0                             
     │   +  Dockerfile (32:32)  
     │   +  COPY --from=builder /go/bin/shippingservice /src/shippingservice                                                                                   
     │   -  Dockerfile (32:32)  
     │   -  COPY --from=builder /go/bin/shippingservice /src/shippingservice                                                                                   
     │   
     ├─  -  HIGH         CVE-2025-47913  [https://scout.docker.com/v/CVE-2025-47913]  
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-58181  [https://scout.docker.com/v/CVE-2025-58181]  
     │                   5.3  Allocation of Resources Without Limits or Throttling  
     └─  -  MEDIUM       CVE-2025-47914  [https://scout.docker.com/v/CVE-2025-47914]  
                         5.3  Out-of-bounds Read                                    
  
  ↑  golang.org/x/net                                                             golang  0.47.0                             0.38.0                             
  ↑  golang.org/x/oauth2                                                          golang  0.33.0                             0.27.0                             
  ↑  golang.org/x/sync                                                            golang  0.18.0                             0.12.0                             
  ↑  golang.org/x/sys                                                             golang  0.38.0                             0.31.0                             
  ↑  golang.org/x/text                                                            golang  0.31.0                             0.23.0                             
  ↑  golang.org/x/time                                                            golang  0.14.0                             0.8.0                              
  ↑  google.golang.org/api                                                        golang  0.256.0                            0.210.0                            
  ↑  google.golang.org/genproto                                                   golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20241118233622-e639e219e697  
  ↑  google.golang.org/genproto/googleapis/rpc                                    golang  0.0.0-20251124214823-79d6a2a48846  0.0.0-20250115164207-1a7da9e5054f  
  ↑  google.golang.org/grpc                                                       golang  1.77.0                             1.71.0                             
  ↑  google.golang.org/protobuf                                                   golang  1.36.10                            1.36.6                             
  ↑  stdlib                                                                       golang  1.25.4                             1.23.4                             
     │   +  Dockerfile (32:32)  
     │   +  COPY --from=builder /go/bin/shippingservice /src/shippingservice                                                                                   
     │   -  Dockerfile (32:32)  
     │   -  COPY --from=builder /go/bin/shippingservice /src/shippingservice                                                                                   
     │   
     ├─  -  CRITICAL     CVE-2025-22871  [https://scout.docker.com/v/CVE-2025-22871]                    
     │                   9.1                                                        
     ├─  -  HIGH         CVE-2025-61725  [https://scout.docker.com/v/CVE-2025-61725]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-61723  [https://scout.docker.com/v/CVE-2025-61723]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58188  [https://scout.docker.com/v/CVE-2025-58188]                    
     │                   7.5                                                        
     ├─  -  HIGH         CVE-2025-58187  [https://scout.docker.com/v/CVE-2025-58187]                    
     │                   7.5                                                        
     ├─  -  MEDIUM       CVE-2025-4673   [https://scout.docker.com/v/CVE-2025-4673]                     
     │                   6.8                                                        
     ├─  -  MEDIUM       CVE-2025-47906  [https://scout.docker.com/v/CVE-2025-47906]                   
     │                   6.5                                                        
     ├─  -  MEDIUM       CVE-2024-45341  [https://scout.docker.com/v/CVE-2024-45341]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2024-45336  [https://scout.docker.com/v/CVE-2024-45336]   
     │                   6.1                                                        
     ├─  -  MEDIUM       CVE-2025-0913   [https://scout.docker.com/v/CVE-2025-0913]                     
     │                   5.5                                                        
     ├─  -  MEDIUM       CVE-2025-61724  [https://scout.docker.com/v/CVE-2025-61724]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58189  [https://scout.docker.com/v/CVE-2025-58189]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58186  [https://scout.docker.com/v/CVE-2025-58186]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58185  [https://scout.docker.com/v/CVE-2025-58185]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-47912  [https://scout.docker.com/v/CVE-2025-47912]                    
     │                   5.3                                                        
     ├─  -  MEDIUM       CVE-2025-58183  [https://scout.docker.com/v/CVE-2025-58183]                    
     │                   4.3                                                        
     └─  -  MEDIUM       CVE-2025-22866  [https://scout.docker.com/v/CVE-2025-22866]   
                         4.0

[mathieu-benoit]

Details below to expand to see what was done related to the recommendationservice app:

recommendationservice - Python 3.12.8 --> 3.12.12

Fixing:

• -11 CVEs

docker scout compare --to recommendationservice:before recommendationservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  recommendationservice:after                         │  recommendationservice:init                           
      digest          │  82867ae75a9b                                        │  64f5643211d0                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  dac743458198c22ced0f6ebb77e1c942d5660724            │  f900e631d1b9000c2e0422f4374d8b0d12e19c40             
      vulnerabilities │    0C     1H     7M     3L                           │    0C     5H    13M     4L                            
                      │           -4     -6     -1                           │                                                       
      size            │ 45 MB (-3.2 MB)                                      │ 48 MB                                                 
      packages        │ 97 (+1)                                              │ 96                                                    
                      │                                                      │                                                       
    Base image        │  python:3.12.12-alpine                               │  python:3.12.8-alpine                                 
      tags            │ also known as                                        │ also known as                                         
                      │   • 3.12-alpine                                      │   • 3.12-alpine                                       
                      │   • 3.12-alpine3.22                                  │   • 3.12-alpine3.21                                   
                      │   • 3.12.12-alpine3.22                               │                                                       
      vulnerabilities │    0C     0H     1M     2L                           │    0C     4H     7M     3L                            
  
  ## Packages and Vulnerabilities
  
    +    1 packages added  
    ⎌   30 packages changed (↑ 30 upgraded, ↓ 0 downgraded)  
        63 packages unchanged
  
    - 11 vulnerabilities removed
  
     Package                                   Type     Version           Compared Version  
  
  ↑  .python-rundeps                           apk      20251009.223815   20250108.182304   
  ↑  alpine-baselayout                         apk      3.7.0-r0          3.6.8-r1          
  ↑  alpine-baselayout-data                    apk      3.7.0-r0          3.6.8-r1          
     alpine-keys                               apk      2.5-r0            2.5-r0            
  ↑  alpine-release                            apk      3.22.2-r0         3.21.2-r0         
  ↑  apk-tools                                 apk      2.14.9-r3         2.14.6-r2         
     autocommand                               pypi     2.2.2             2.2.2             
     backoff                                   pypi     2.2.1             2.2.1             
     backports-tarfile                         pypi     1.2.0             1.2.0             
  ↑  busybox                                   apk      1.37.0-r19        1.37.0-r9         
  ↑  busybox-binsh                             apk      1.37.0-r19        1.37.0-r9         
  ↑  ca-certificates                           apk      20250911-r0       20241121-r1       
  ↑  ca-certificates-bundle                    apk      20250911-r0       20241121-r1       
     cachetools                                pypi     5.3.2             5.3.2             
     certifi                                   pypi     2023.7.22         2023.7.22         
     charset-normalizer                        pypi     3.3.2             3.3.2             
     deprecated                                pypi     1.2.14            1.2.14            
     gdbm                                      apk      1.24-r0           1.24-r0           
     google-api-core                           pypi     2.12.0            2.12.0            
     google-api-python-client                  pypi     2.107.0           2.107.0           
     google-auth                               pypi     2.23.4            2.23.4            
     google-auth-httplib2                      pypi     0.1.1             0.1.1             
     google-cloud-profiler                     pypi     4.1.0             4.1.0             
     googleapis-common-protos                  pypi     1.61.0            1.61.0            
     grpcio                                    pypi     1.59.2            1.59.2            
     grpcio-health-checking                    pypi     1.59.2            1.59.2            
     httplib2                                  pypi     0.22.0            0.22.0            
     idna                                      pypi     3.4               3.4               
     importlib-metadata                        pypi     8.0.0             8.0.0             
     inflect                                   pypi     7.3.1             7.3.1             
     jaraco-collections                        pypi     5.1.0             5.1.0             
     jaraco-context                            pypi     5.3.0             5.3.0             
     jaraco-functools                          pypi     4.0.1             4.0.1             
     jaraco-text                               pypi     3.12.1            3.12.1            
     keyutils-libs                             apk      1.6.3-r4          1.6.3-r4          
     krb5-conf                                 apk      1.0-r2            1.0-r2            
     krb5-libs                                 apk      1.21.3-r0         1.21.3-r0         
  +  libapk2                                   apk      2.14.9-r3                           
     libbz2                                    apk      1.0.8-r6          1.0.8-r6          
  ↑  libcom_err                                apk      1.47.2-r2         1.47.1-r1         
  ↑  libcrypto3                                apk      3.5.4-r0          3.3.2-r4          
  ↑  libffi                                    apk      3.4.8-r0          3.4.6-r0          
  ↑  libgcc                                    apk      14.2.0-r6         14.2.0-r4         
  ↑  libintl                                   apk      0.24.1-r0         0.22.5-r0         
  ↑  libncursesw                               apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libnsl                                    apk      2.0.1-r1          2.0.1-r0          
  ↑  libpanelw                                 apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libssl3                                   apk      3.5.4-r0          3.3.2-r4          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]    
     │                   7.5    
     ├─  -  MEDIUM       CVE-2025-9231   [https://scout.docker.com/v/CVE-2025-9231]    
     │                   6.5    
     ├─  -  MEDIUM       CVE-2024-12797  [https://scout.docker.com/v/CVE-2024-12797]  
     │                   6.3    
     ├─  -  MEDIUM       CVE-2025-9232   [https://scout.docker.com/v/CVE-2025-9232]    
     │                   5.9    
     └─  -  MEDIUM       CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]  
                         4.1    
  
  ↑  libstdc++                                 apk      14.2.0-r6         14.2.0-r4         
     libtirpc                                  apk      1.3.5-r0          1.3.5-r0          
     libtirpc-conf                             apk      1.3.5-r0          1.3.5-r0          
  ↑  libuuid                                   apk      2.41-r9           2.40.2-r4         
     libverto                                  apk      0.3.2-r2          0.3.2-r2          
     more-itertools                            pypi     10.3.0            10.3.0            
  ↑  musl                                      apk      1.2.5-r10         1.2.5-r8          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-26519  [https://scout.docker.com/v/CVE-2025-26519]     
                         8.1    
  
  ↑  musl-utils                                apk      1.2.5-r10         1.2.5-r8          
     my-test-package                           pypi     1.0               1.0               
  ↑  ncurses-terminfo-base                     apk      6.5_p20250503-r0  6.5_p20241006-r3  
     opentelemetry-api                         pypi     1.20.0            1.20.0            
     opentelemetry-distro                      pypi     0.41b0            0.41b0            
     opentelemetry-exporter-otlp-proto-common  pypi     1.20.0            1.20.0            
     opentelemetry-exporter-otlp-proto-grpc    pypi     1.20.0            1.20.0            
     opentelemetry-instrumentation             pypi     0.41b0            0.41b0            
     opentelemetry-instrumentation-grpc        pypi     0.41b0            0.41b0            
     opentelemetry-proto                       pypi     1.20.0            1.20.0            
     opentelemetry-sdk                         pypi     1.20.0            1.20.0            
     opentelemetry-semantic-conventions        pypi     0.41b0            0.41b0            
     packaging                                 pypi     24.2              24.2              
  ↑  pip                                       pypi     25.0.1            24.3.1            
     platformdirs                              pypi     4.2.2             4.2.2             
     protobuf                                  pypi     4.25.0            4.25.0            
     pyasn1                                    pypi     0.5.0             0.5.0             
     pyasn1-modules                            pypi     0.3.0             0.3.0             
     pyparsing                                 pypi     3.1.1             3.1.1             
  ↑  python                                    generic  3.12.12           3.12.8            
     python-json-logger                        pypi     2.0.7             2.0.7             
  ↑  readline                                  apk      8.2.13-r1         8.2.13-r0         
     requests                                  pypi     2.31.0            2.31.0            
     rsa                                       pypi     4.9               4.9               
     scanelf                                   apk      1.3.8-r1          1.3.8-r1          
     setuptools                                pypi     80.9.0            80.9.0            
  ↑  sqlite-libs                               apk      3.49.2-r1         3.47.1-r0         
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-6965   [https://scout.docker.com/v/CVE-2025-6965]    
     │                   7.2    
     ├─  -  MEDIUM       CVE-2025-3277   [https://scout.docker.com/v/CVE-2025-3277]    
     │                   6.9    
     ├─  -  MEDIUM       CVE-2025-29088  [https://scout.docker.com/v/CVE-2025-29088]  
     │                   5.6    
     └─  -  LOW          CVE-2025-29087  [https://scout.docker.com/v/CVE-2025-29087]  
                         3.2    
  
  ↑  ssl_client                                apk      1.37.0-r19        1.37.0-r9         
     tomli                                     pypi     2.0.1             2.0.1             
     typeguard                                 pypi     4.3.0             4.3.0             
     typing-extensions                         pypi     4.8.0             4.8.0             
  ↑  tzdata                                    apk      2025b-r0          2024b-r1          
     uritemplate                               pypi     4.1.1             4.1.1             
     urllib3                                   pypi     2.0.7             2.0.7             
     wheel                                     pypi     0.45.1            0.45.1            
     wrapt                                     pypi     1.16.0            1.16.0            
  ↑  xz-libs                                   apk      5.8.1-r0          5.6.3-r0          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-31115  [https://scout.docker.com/v/CVE-2025-31115]       
                         8.7    
  
     zipp                                      pypi     3.19.2            3.19.2            
     zlib                                      apk      1.3.1-r2          1.3.1-r2

[mathieu-benoit]

Details below to expand to see what was done related to the loadgenerator app:

loadgenerator - Python 3.12.8 --> 3.12.12

Fixing:

• -11 CVEs

docker scout compare --to loadgenerator:before loadgenerator:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  loadgenerator:after                                 │  loadgenerator:init                                   
      digest          │  db7c4e04b60f                                        │  f7d7f7b37b1e                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  144abdd354b329f5f1295ccd00e9c4f04aab00f7            │  dac743458198c22ced0f6ebb77e1c942d5660724             
      vulnerabilities │    0C     0H     2M     2L                           │    0C     4H     8M     3L                            
                      │           -4     -6     -1                           │                                                       
      size            │ 46 MB (+238 kB)                                      │ 45 MB                                                 
      packages        │ 105 (+1)                                             │ 104                                                   
                      │                                                      │                                                       
    Base image        │  python:3.12.12-alpine                               │  python:3.12.8-alpine                                 
      tags            │ also known as                                        │ also known as                                         
                      │   • 3.12-alpine                                      │   • 3.12-alpine                                       
                      │   • 3.12-alpine3.22                                  │   • 3.12-alpine3.21                                   
                      │   • 3.12.12-alpine3.22                               │                                                       
      vulnerabilities │    0C     0H     1M     2L                           │    0C     4H     7M     3L                            

  ## Packages and Vulnerabilities

    +    1 packages added  
    ⎌   28 packages changed (↑ 28 upgraded, ↓ 0 downgraded)  
        70 packages unchanged

    - 11 vulnerabilities removed

     Package                 Type     Version           Compared Version  
  
  ↑  .python-rundeps         apk      20251009.223815   20250108.182304   
  ↑  alpine-baselayout       apk      3.7.0-r0          3.6.8-r1          
  ↑  alpine-baselayout-data  apk      3.7.0-r0          3.6.8-r1          
     alpine-keys             apk      2.5-r0            2.5-r0            
  ↑  alpine-release          apk      3.22.2-r0         3.21.2-r0         
  ↑  apk-tools               apk      2.14.9-r3         2.14.6-r2         
     autocommand             pypi     2.2.2             2.2.2             
     backports-tarfile       pypi     1.2.0             1.2.0             
     bidict                  pypi     0.23.1            0.23.1            
     blinker                 pypi     1.9.0             1.9.0             
     brotli                  pypi     1.2.0             1.2.0             
  ↑  busybox                 apk      1.37.0-r19        1.37.0-r9         
  ↑  busybox-binsh           apk      1.37.0-r19        1.37.0-r9         
  ↑  ca-certificates         apk      20250911-r0       20241121-r1       
  ↑  ca-certificates-bundle  apk      20250911-r0       20241121-r1       
     certifi                 pypi     2025.8.3          2025.8.3          
     charset-normalizer      pypi     3.4.3             3.4.3             
     click                   pypi     8.3.0             8.3.0             
     configargparse          pypi     1.7.1             1.7.1             
     faker                   pypi     37.7.0            37.7.0            
     flask                   pypi     3.1.2             3.1.2             
     flask-cors              pypi     6.0.1             6.0.1             
     flask-login             pypi     0.6.3             0.6.3             
     gdbm                    apk      1.24-r0           1.24-r0           
     gevent                  pypi     25.5.1            25.5.1            
     geventhttpclient        pypi     2.3.4             2.3.4             
     greenlet                pypi     3.2.4             3.2.4             
     h11                     pypi     0.16.0            0.16.0            
     idna                    pypi     3.10              3.10              
     importlib-metadata      pypi     8.0.0             8.0.0             
     inflect                 pypi     7.3.1             7.3.1             
     iniconfig               pypi     2.1.0             2.1.0             
     itsdangerous            pypi     2.2.0             2.2.0             
     jaraco-collections      pypi     5.1.0             5.1.0             
     jaraco-context          pypi     5.3.0             5.3.0             
     jaraco-functools        pypi     4.0.1             4.0.1             
     jaraco-text             pypi     3.12.1            3.12.1            
     jinja2                  pypi     3.1.6             3.1.6             
     keyutils-libs           apk      1.6.3-r4          1.6.3-r4          
     krb5-conf               apk      1.0-r2            1.0-r2            
     krb5-libs               apk      1.21.3-r0         1.21.3-r0         
  +  libapk2                 apk      2.14.9-r3                           
     libbz2                  apk      1.0.8-r6          1.0.8-r6          
  ↑  libcom_err              apk      1.47.2-r2         1.47.1-r1         
  ↑  libcrypto3              apk      3.5.4-r0          3.3.2-r4          
  ↑  libffi                  apk      3.4.8-r0          3.4.6-r0          
     libgcc                  apk      14.2.0-r6         14.2.0-r6         
  ↑  libintl                 apk      0.24.1-r0         0.22.5-r0         
  ↑  libncursesw             apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libnsl                  apk      2.0.1-r1          2.0.1-r0          
  ↑  libpanelw               apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libssl3                 apk      3.5.4-r0          3.3.2-r4          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]    
     │                   7.5    
     ├─  -  MEDIUM       CVE-2025-9231   [https://scout.docker.com/v/CVE-2025-9231]    
     │                   6.5    
     ├─  -  MEDIUM       CVE-2024-12797  [https://scout.docker.com/v/CVE-2024-12797]  
     │                   6.3    
     ├─  -  MEDIUM       CVE-2025-9232   [https://scout.docker.com/v/CVE-2025-9232]    
     │                   5.9    
     └─  -  MEDIUM       CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]  
                         4.1    
  
     libstdc++               apk      14.2.0-r6         14.2.0-r6         
     libtirpc                apk      1.3.5-r0          1.3.5-r0          
     libtirpc-conf           apk      1.3.5-r0          1.3.5-r0          
  ↑  libuuid                 apk      2.41-r9           2.40.2-r4         
     libverto                apk      0.3.2-r2          0.3.2-r2          
     locust                  pypi     2.40.4            2.40.4            
     locust-cloud            pypi     1.27.0            1.27.0            
     markupsafe              pypi     3.0.2             3.0.2             
     more-itertools          pypi     10.3.0            10.3.0            
     msgpack                 pypi     1.1.1             1.1.1             
  ↑  musl                    apk      1.2.5-r10         1.2.5-r8          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-26519  [https://scout.docker.com/v/CVE-2025-26519]     
                         8.1    
  
  ↑  musl-utils              apk      1.2.5-r10         1.2.5-r8          
     my-test-package         pypi     1.0               1.0               
  ↑  ncurses-terminfo-base   apk      6.5_p20250503-r0  6.5_p20241006-r3  
     packaging               pypi     25.0              25.0              
  ↑  pip                     pypi     25.0.1            24.3.1            
     platformdirs            pypi     4.4.0             4.4.0             
     pluggy                  pypi     1.6.0             1.6.0             
     psutil                  pypi     7.1.0             7.1.0             
     pygments                pypi     2.19.2            2.19.2            
     pytest                  pypi     8.4.2             8.4.2             
  ↑  python                  generic  3.12.12           3.12.8            
     python-engineio         pypi     4.12.2            4.12.2            
     python-socketio         pypi     5.13.0            5.13.0            
     pyzmq                   pypi     27.1.0            27.1.0            
  ↑  readline                apk      8.2.13-r1         8.2.13-r0         
     requests                pypi     2.32.5            2.32.5            
     scanelf                 apk      1.3.8-r1          1.3.8-r1          
     setuptools              pypi     80.9.0            80.9.0            
     simple-websocket        pypi     1.1.0             1.1.0             
  ↑  sqlite-libs             apk      3.49.2-r1         3.47.1-r0         
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-6965   [https://scout.docker.com/v/CVE-2025-6965]    
     │                   7.2    
     ├─  -  MEDIUM       CVE-2025-3277   [https://scout.docker.com/v/CVE-2025-3277]    
     │                   6.9    
     ├─  -  MEDIUM       CVE-2025-29088  [https://scout.docker.com/v/CVE-2025-29088]  
     │                   5.6    
     └─  -  LOW          CVE-2025-29087  [https://scout.docker.com/v/CVE-2025-29087]  
                         3.2    
  
  ↑  ssl_client              apk      1.37.0-r19        1.37.0-r9         
     tomli                   pypi     2.0.1             2.0.1             
     typeguard               pypi     4.3.0             4.3.0             
     typing-extensions       pypi     4.15.0            4.15.0            
     tzdata                  pypi     2025.2            2025.2            
  ↑  tzdata                  apk      2025b-r0          2024b-r1          
     urllib3                 pypi     2.5.0             2.5.0             
     websocket-client        pypi     1.8.0             1.8.0             
     werkzeug                pypi     3.1.3             3.1.3             
     wheel                   pypi     0.45.1            0.45.1            
     wsproto                 pypi     1.2.0             1.2.0             
  ↑  xz-libs                 apk      5.8.1-r0          5.6.3-r0          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-31115  [https://scout.docker.com/v/CVE-2025-31115]       
                         8.7    
  
     zipp                    pypi     3.19.2            3.19.2            
     zlib                    apk      1.3.1-r2          1.3.1-r2          
     zope-event              pypi     6.0               6.0               
     zope-interface          pypi     8.0               8.0

[mathieu-benoit]

Details below to expand to see what was done related to the emailservice app:

emailservice - Python 3.12.8 --> 3.12.12

Fixing:

• -11 CVEs

docker scout compare --to emailservice:before emailservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  emailservice:after                                  │  emailservice:init                                    
      digest          │  36accfb388f2                                        │  dc5e95187263                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  144abdd354b329f5f1295ccd00e9c4f04aab00f7            │  dac743458198c22ced0f6ebb77e1c942d5660724             
      vulnerabilities │    0C     1H    12M     3L                           │    0C     5H    18M     4L                            
                      │           -4     -6     -1                           │                                                       
      size            │ 46 MB (-3.2 MB)                                      │ 49 MB                                                 
      packages        │ 102 (+1)                                             │ 101                                                   
                      │                                                      │                                                       
    Base image        │  python:3.12.12-alpine                               │  python:3.12.8-alpine                                 
      tags            │ also known as                                        │ also known as                                         
                      │   • 3.12-alpine                                      │   • 3.12-alpine                                       
                      │   • 3.12-alpine3.22                                  │   • 3.12-alpine3.21                                   
                      │   • 3.12.12-alpine3.22                               │                                                       
      vulnerabilities │    0C     0H     1M     2L                           │    0C     4H     7M     3L                            

  ## Packages and Vulnerabilities
  
    +    1 packages added  
    ⎌   30 packages changed (↑ 30 upgraded, ↓ 0 downgraded)  
        68 packages unchanged

    - 11 vulnerabilities removed

     Package                                   Type     Version           Compared Version  
  
  ↑  .python-rundeps                           apk      20251009.223815   20250108.182304   
  ↑  alpine-baselayout                         apk      3.7.0-r0          3.6.8-r1          
  ↑  alpine-baselayout-data                    apk      3.7.0-r0          3.6.8-r1          
     alpine-keys                               apk      2.5-r0            2.5-r0            
  ↑  alpine-release                            apk      3.22.2-r0         3.21.2-r0         
  ↑  apk-tools                                 apk      2.14.9-r3         2.14.6-r2         
     autocommand                               pypi     2.2.2             2.2.2             
     backoff                                   pypi     2.2.1             2.2.1             
     backports-tarfile                         pypi     1.2.0             1.2.0             
  ↑  busybox                                   apk      1.37.0-r19        1.37.0-r9         
  ↑  busybox-binsh                             apk      1.37.0-r19        1.37.0-r9         
  ↑  ca-certificates                           apk      20250911-r0       20241121-r1       
  ↑  ca-certificates-bundle                    apk      20250911-r0       20241121-r1       
     cachetools                                pypi     5.3.2             5.3.2             
     certifi                                   pypi     2023.7.22         2023.7.22         
     charset-normalizer                        pypi     3.3.2             3.3.2             
     deprecated                                pypi     1.2.14            1.2.14            
     gdbm                                      apk      1.24-r0           1.24-r0           
     google-api-core                           pypi     2.12.0            2.12.0            
     google-api-python-client                  pypi     2.107.0           2.107.0           
     google-auth                               pypi     2.23.4            2.23.4            
     google-auth-httplib2                      pypi     0.1.1             0.1.1             
     google-cloud-profiler                     pypi     4.1.0             4.1.0             
     google-cloud-trace                        pypi     1.11.3            1.11.3            
     googleapis-common-protos                  pypi     1.61.0            1.61.0            
     grpcio                                    pypi     1.59.2            1.59.2            
     grpcio-health-checking                    pypi     1.59.2            1.59.2            
     grpcio-status                             pypi     1.59.2            1.59.2            
     httplib2                                  pypi     0.22.0            0.22.0            
     idna                                      pypi     3.4               3.4               
     importlib-metadata                        pypi     8.0.0             8.0.0             
     inflect                                   pypi     7.3.1             7.3.1             
     jaraco-collections                        pypi     5.1.0             5.1.0             
     jaraco-context                            pypi     5.3.0             5.3.0             
     jaraco-functools                          pypi     4.0.1             4.0.1             
     jaraco-text                               pypi     3.12.1            3.12.1            
     jinja2                                    pypi     3.1.2             3.1.2             
     keyutils-libs                             apk      1.6.3-r4          1.6.3-r4          
     krb5-conf                                 apk      1.0-r2            1.0-r2            
     krb5-libs                                 apk      1.21.3-r0         1.21.3-r0         
  +  libapk2                                   apk      2.14.9-r3                           
     libbz2                                    apk      1.0.8-r6          1.0.8-r6          
  ↑  libcom_err                                apk      1.47.2-r2         1.47.1-r1         
  ↑  libcrypto3                                apk      3.5.4-r0          3.3.2-r4          
  ↑  libffi                                    apk      3.4.8-r0          3.4.6-r0          
  ↑  libgcc                                    apk      14.2.0-r6         14.2.0-r4         
  ↑  libintl                                   apk      0.24.1-r0         0.22.5-r0         
  ↑  libncursesw                               apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libnsl                                    apk      2.0.1-r1          2.0.1-r0          
  ↑  libpanelw                                 apk      6.5_p20250503-r0  6.5_p20241006-r3  
  ↑  libssl3                                   apk      3.5.4-r0          3.3.2-r4          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]    
     │                   7.5    
     ├─  -  MEDIUM       CVE-2025-9231   [https://scout.docker.com/v/CVE-2025-9231]    
     │                   6.5    
     ├─  -  MEDIUM       CVE-2024-12797  [https://scout.docker.com/v/CVE-2024-12797]  
     │                   6.3    
     ├─  -  MEDIUM       CVE-2025-9232   [https://scout.docker.com/v/CVE-2025-9232]    
     │                   5.9    
     └─  -  MEDIUM       CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]  
                         4.1    
  
  ↑  libstdc++                                 apk      14.2.0-r6         14.2.0-r4         
     libtirpc                                  apk      1.3.5-r0          1.3.5-r0          
     libtirpc-conf                             apk      1.3.5-r0          1.3.5-r0          
  ↑  libuuid                                   apk      2.41-r9           2.40.2-r4         
     libverto                                  apk      0.3.2-r2          0.3.2-r2          
     markupsafe                                pypi     2.1.3             2.1.3             
     more-itertools                            pypi     10.3.0            10.3.0            
  ↑  musl                                      apk      1.2.5-r10         1.2.5-r8          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-26519  [https://scout.docker.com/v/CVE-2025-26519]     
                         8.1    
  
  ↑  musl-utils                                apk      1.2.5-r10         1.2.5-r8          
     my-test-package                           pypi     1.0               1.0               
  ↑  ncurses-terminfo-base                     apk      6.5_p20250503-r0  6.5_p20241006-r3  
     opentelemetry-api                         pypi     1.20.0            1.20.0            
     opentelemetry-distro                      pypi     0.41b0            0.41b0            
     opentelemetry-exporter-otlp-proto-common  pypi     1.20.0            1.20.0            
     opentelemetry-exporter-otlp-proto-grpc    pypi     1.20.0            1.20.0            
     opentelemetry-instrumentation             pypi     0.41b0            0.41b0            
     opentelemetry-instrumentation-grpc        pypi     0.41b0            0.41b0            
     opentelemetry-proto                       pypi     1.20.0            1.20.0            
     opentelemetry-sdk                         pypi     1.20.0            1.20.0            
     opentelemetry-semantic-conventions        pypi     0.41b0            0.41b0            
     packaging                                 pypi     24.2              24.2              
  ↑  pip                                       pypi     25.0.1            24.3.1            
     platformdirs                              pypi     4.2.2             4.2.2             
     proto-plus                                pypi     1.22.3            1.22.3            
     protobuf                                  pypi     4.25.0            4.25.0            
     pyasn1                                    pypi     0.5.0             0.5.0             
     pyasn1-modules                            pypi     0.3.0             0.3.0             
     pyparsing                                 pypi     3.1.1             3.1.1             
  ↑  python                                    generic  3.12.12           3.12.8            
     python-json-logger                        pypi     2.0.7             2.0.7             
  ↑  readline                                  apk      8.2.13-r1         8.2.13-r0         
     requests                                  pypi     2.31.0            2.31.0            
     rsa                                       pypi     4.9               4.9               
     scanelf                                   apk      1.3.8-r1          1.3.8-r1          
     setuptools                                pypi     80.9.0            80.9.0            
  ↑  sqlite-libs                               apk      3.49.2-r1         3.47.1-r0         
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     ├─  -  HIGH         CVE-2025-6965   [https://scout.docker.com/v/CVE-2025-6965]    
     │                   7.2    
     ├─  -  MEDIUM       CVE-2025-3277   [https://scout.docker.com/v/CVE-2025-3277]    
     │                   6.9    
     ├─  -  MEDIUM       CVE-2025-29088  [https://scout.docker.com/v/CVE-2025-29088]  
     │                   5.6    
     └─  -  LOW          CVE-2025-29087  [https://scout.docker.com/v/CVE-2025-29087]  
                         3.2    
  
  ↑  ssl_client                                apk      1.37.0-r19        1.37.0-r9         
     tomli                                     pypi     2.0.1             2.0.1             
     typeguard                                 pypi     4.3.0             4.3.0             
     typing-extensions                         pypi     4.8.0             4.8.0             
  ↑  tzdata                                    apk      2025b-r0          2024b-r1          
     uritemplate                               pypi     4.1.1             4.1.1             
     urllib3                                   pypi     2.0.7             2.0.7             
     wheel                                     pypi     0.45.1            0.45.1            
     wrapt                                     pypi     1.16.0            1.16.0            
  ↑  xz-libs                                   apk      5.8.1-r0          5.6.3-r0          
     │   +  Dockerfile (15:15)  
     │   +  FROM --platform=$BUILDPLATFORM python:3.12.12-alpine@sha256:d82291d418d5c47f267708393e40599ae836f2260b0519dd38670e9d281657f5 AS base               
     │   -  Dockerfile (15:15)  
     │   -  FROM --platform=$BUILDPLATFORM python:3.12.8-alpine@sha256:54bec49592c8455de8d5983d984efff76b6417a6af9b5dcc8d0237bf6ad3bd20 AS base                
     │   
     └─  -  HIGH         CVE-2025-31115  [https://scout.docker.com/v/CVE-2025-31115]       
                         8.7    
  
     zipp                                      pypi     3.19.2            3.19.2            
     zlib                                      apk      1.3.1-r2          1.3.1-r2

[mathieu-benoit]

Details below to expand to see what was done related to the paymentservice app:

paymentservice - Node 20.18 --> 20.19 + Alpine 3.20 --> 3.22

Fixing:

• -10 CVEs

docker scout compare --to paymentservice:before paymentservice:after:

  ## Overview
  
                      │                    Analyzed Image                    │                   Comparison Image                    
  ────────────────────┼──────────────────────────────────────────────────────┼───────────────────────────────────────────────────────
    Target            │  paymentservice:after                                │  paymentservice:init                                  
      digest          │  110d849f1d35                                        │  099fe7a266d2                                         
      tag             │  latest                                              │  latest                                               
      platform        │ linux/amd64                                          │ linux/amd64                                           
      provenance      │ https://github.com/mathieu-benoit/microservices-demo │ https://github.com/mathieu-benoit/microservices-demo  
                      │  144abdd354b329f5f1295ccd00e9c4f04aab00f7            │  144abdd354b329f5f1295ccd00e9c4f04aab00f7             
      vulnerabilities │    0C     1H     1M     4L                           │    1C     4H     7M     4L                            
                      │    -1     -3     -6                                  │                                                       
      size            │ 48 MB (+6.2 MB)                                      │ 42 MB                                                 
      packages        │ 315 (+5)                                             │ 310                                                   
                      │                                                      │                                                       
    Base image        │  alpine:3.22.2                                       │  alpine:3.20.3                                        
      tags            │ also known as                                        │ also known as                                         
                      │   • 3                                                │   • 3                                                 
                      │   • 3.22                                             │   • 3.20                                              
                      │   • latest                                           │   • latest                                            
      vulnerabilities │    0C     0H     0M     2L                           │    0C     2H     5M     2L                            

  ## Packages and Vulnerabilities

    +    6 packages added  
    -    1 packages removed  
    ⎌   22 packages changed (↑ 22 upgraded, ↓ 0 downgraded)  
       261 packages unchanged

    - 10 vulnerabilities removed

     Package                                     Type  Version       Compared Version       
  
     1to2                                        npm   1.0.0         1.0.0                  
     @babel/parser                               npm   7.18.13       7.18.13                
     @google-cloud/common                        npm   5.0.2         5.0.2                  
     @google-cloud/logging-min                   npm   11.2.0        11.2.0                 
     @google-cloud/paginator                     npm   5.0.2         5.0.2                  
     @google-cloud/profiler                      npm   6.0.3         6.0.3                  
     @google-cloud/projectify                    npm   4.0.0         4.0.0                  
     @google-cloud/promisify                     npm   4.0.0         4.0.0                  
     @grpc/grpc-js                               npm   1.14.1        1.14.1                 
     @grpc/proto-loader                          npm   0.8.0         0.8.0                  
     @js-sdsl/ordered-map                        npm   4.4.2         4.4.2                  
     @mapbox/node-pre-gyp                        npm   1.0.10        1.0.10                 
     @opentelemetry/api                          npm   1.9.0         1.9.0                  
     @opentelemetry/api-logs                     npm   0.208.0       0.208.0                
     @opentelemetry/api-metrics                  npm   0.26.0        0.26.0                 
     @opentelemetry/context-async-hooks          npm   2.2.0         2.2.0                  
     @opentelemetry/core                         npm   2.2.0         2.2.0                  
     @opentelemetry/exporter-logs-otlp-grpc      npm   0.208.0       0.208.0                
     @opentelemetry/exporter-logs-otlp-http      npm   0.208.0       0.208.0                
     @opentelemetry/exporter-logs-otlp-proto     npm   0.208.0       0.208.0                
     @opentelemetry/exporter-metrics-otlp-grpc   npm   0.208.0       0.208.0                
     @opentelemetry/exporter-metrics-otlp-http   npm   0.208.0       0.208.0                
     @opentelemetry/exporter-metrics-otlp-proto  npm   0.208.0       0.208.0                
     @opentelemetry/exporter-otlp-grpc           npm   0.26.0        0.26.0                 
     @opentelemetry/exporter-otlp-http           npm   0.26.0        0.26.0                 
     @opentelemetry/exporter-prometheus          npm   0.208.0       0.208.0                
     @opentelemetry/exporter-trace-otlp-grpc     npm   0.208.0       0.208.0                
     @opentelemetry/exporter-trace-otlp-http     npm   0.208.0       0.208.0                
     @opentelemetry/exporter-trace-otlp-proto    npm   0.208.0       0.208.0                
     @opentelemetry/exporter-zipkin              npm   2.2.0         2.2.0                  
     @opentelemetry/instrumentation              npm   0.208.0       0.208.0                
     @opentelemetry/instrumentation-grpc         npm   0.208.0       0.208.0                
     @opentelemetry/otlp-exporter-base           npm   0.208.0       0.208.0                
     @opentelemetry/otlp-grpc-exporter-base      npm   0.208.0       0.208.0                
     @opentelemetry/otlp-transformer             npm   0.208.0       0.208.0                
     @opentelemetry/propagator-b3                npm   2.2.0         2.2.0                  
     @opentelemetry/propagator-jaeger            npm   2.2.0         2.2.0                  
     @opentelemetry/resources                    npm   2.2.0         2.2.0                  
     @opentelemetry/sdk-logs                     npm   0.208.0       0.208.0                
     @opentelemetry/sdk-metrics                  npm   2.2.0         2.2.0                  
     @opentelemetry/sdk-metrics-base             npm   0.26.0        0.26.0                 
     @opentelemetry/sdk-node                     npm   0.208.0       0.208.0                
     @opentelemetry/sdk-trace-base               npm   2.2.0         2.2.0                  
     @opentelemetry/sdk-trace-node               npm   2.2.0         2.2.0                  
     @opentelemetry/semantic-conventions         npm   1.38.0        1.38.0                 
     @pinojs/redact                              npm   0.4.0         0.4.0                  
     @protobufjs/aspromise                       npm   1.1.2         1.1.2                  
     @protobufjs/base64                          npm   1.1.2         1.1.2                  
     @protobufjs/codegen                         npm   2.0.4         2.0.4                  
     @protobufjs/eventemitter                    npm   1.1.0         1.1.0                  
     @protobufjs/fetch                           npm   1.1.0         1.1.0                  
     @protobufjs/float                           npm   1.0.2         1.0.2                  
     @protobufjs/inquire                         npm   1.1.0         1.1.0                  
     @protobufjs/path                            npm   1.1.2         1.1.2                  
     @protobufjs/pool                            npm   1.1.0         1.1.0                  
     @protobufjs/utf8                            npm   1.1.0         1.1.0                  
     @tootallnate/once                           npm   2.0.0         2.0.0                  
     @types/caseless                             npm   0.12.5        0.12.5                 
     @types/console-log-level                    npm   1.4.2         1.4.2                  
     @types/linkify-it                           npm   3.0.2         3.0.2                  
     @types/long                                 npm   4.0.2         4.0.2                  
     @types/markdown-it                          npm   12.2.3        12.2.3                 
     @types/mdurl                                npm   1.0.2         1.0.2                  
     @types/node                                 npm   18.11.9       18.11.9                
     @types/request                              npm   2.48.12       2.48.12                
     @types/semver                               npm   7.3.13        7.3.13                 
     @types/tough-cookie                         npm   4.0.5         4.0.5                  
     abbrev                                      npm   1.1.1         1.1.1                  
     abort-controller                            npm   3.0.0         3.0.0                  
     acorn                                       npm   8.8.0         8.8.0                  
     acorn-import-attributes                     npm   1.9.5         1.9.5                  
     acorn-jsx                                   npm   5.3.2         5.3.2                  
  ↑  ada-libs                                    apk   2.9.2-r4      2.7.8-r0               
     agent-base                                  npm   7.1.1         7.1.1                  
  ↑  alpine-baselayout                           apk   3.7.0-r0      3.6.5-r0               
  ↑  alpine-baselayout-data                      apk   3.7.0-r0      3.6.5-r0               
  ↑  alpine-keys                                 apk   2.5-r0        2.4-r1                 
  +  alpine-release                              apk   3.22.2-r0                            
     ansi-regex                                  npm   5.0.1         5.0.1                  
     ansi-styles                                 npm   4.3.0         4.3.0                  
  ↑  apk-tools                                   apk   2.14.9-r3     2.14.4-r0              
     aproba                                      npm   2.0.0         2.0.0                  
     are-we-there-yet                            npm   2.0.0         2.0.0                  
     argparse                                    npm   2.0.1         2.0.1                  
     arrify                                      npm   2.0.1         2.0.1                  
     asynckit                                    npm   0.4.0         0.4.0                  
     atomic-sleep                                npm   1.0.0         1.0.0                  
     balanced-match                              npm   1.0.2         1.0.2                  
     base64-js                                   npm   1.5.1         1.5.1                  
     bignumber.js                                npm   9.1.2         9.1.2                  
     bindings                                    npm   1.5.0         1.5.0                  
     bluebird                                    npm   3.7.2         3.7.2                  
     brace-expansion                             npm   1.1.12        1.1.12                 
     brotli-libs                                 apk   1.1.0-r2      1.1.0-r2               
     buffer-equal-constant-time                  npm   1.0.1         1.0.1                  
  ↑  busybox                                     apk   1.37.0-r19    1.36.1-r29             
  ↑  busybox-binsh                               apk   1.37.0-r19    1.36.1-r29             
  ↑  c-ares                                      apk   1.34.5-r0     1.33.1-r0              
     │   +  Dockerfile (32:32)  
     │   +  RUN apk add --no-cache nodejs                                                                                                                      
     │   -  Dockerfile (32:32)  
     │   -  RUN apk add --no-cache nodejs                                                                                                                      
     │   
     └─  -  HIGH         CVE-2025-31498  [https://scout.docker.com/v/CVE-2025-31498]   
                         8.3    
  
     ca-certificates                             apk   20250911-r0   20250911-r0            
  ↑  ca-certificates-bundle                      apk   20250911-r0   20240705-r0            
     call-bind-apply-helpers                     npm   1.0.2         1.0.2                  
     catharsis                                   npm   0.9.0         0.9.0                  
     chownr                                      npm   2.0.0         2.0.0                  
     cjs-module-lexer                            npm   1.4.3         1.4.3                  
     cliui                                       npm   8.0.1         8.0.1                  
     color-convert                               npm   2.0.1         2.0.1                  
     color-name                                  npm   1.1.4         1.1.4                  
     color-support                               npm   1.1.3         1.1.3                  
     combined-stream                             npm   1.0.8         1.0.8                  
     concat-map                                  npm   0.0.1         0.0.1                  
     console-control-strings                     npm   1.1.0         1.1.0                  
     console-log-level                           npm   1.4.1         1.4.1                  
     debug                                       npm   4.4.3         4.4.3                  
     delay                                       npm   5.0.0         5.0.0                  
     delayed-stream                              npm   1.0.0         1.0.0                  
     delegates                                   npm   1.0.0         1.0.0                  
     detect-libc                                 npm   2.0.1         2.0.1                  
     dot-prop                                    npm   6.0.1         6.0.1                  
     dunder-proto                                npm   1.0.1         1.0.1                  
     duplexify                                   npm   4.1.2         4.1.2                  
     ecdsa-sig-formatter                         npm   1.0.11        1.0.11                 
     ee-first                                    npm   1.1.1         1.1.1                  
     emoji-regex                                 npm   8.0.0         8.0.0                  
     end-of-stream                               npm   1.4.4         1.4.4                  
     entities                                    npm   2.1.0         2.1.0                  
     es-define-property                          npm   1.0.1         1.0.1                  
     es-errors                                   npm   1.3.0         1.3.0                  
     es-object-atoms                             npm   1.1.1         1.1.1                  
     es-set-tostringtag                          npm   2.1.0         2.1.0                  
     escalade                                    npm   3.1.1         3.1.1                  
     escape-string-regexp                        npm   2.0.0         2.0.0                  
     escodegen                                   npm   2.1.0         2.1.0                  
     eslint-visitor-keys                         npm   1.3.0         1.3.0                  
     espree                                      npm   7.3.1         7.3.1                  
     esprima                                     npm   4.0.1         4.0.1                  
     estraverse                                  npm   5.3.0         5.3.0                  
     esutils                                     npm   2.0.3         2.0.3                  
     event-target-shim                           npm   5.0.1         5.0.1                  
     eventid                                     npm   2.0.1         2.0.1                  
     extend                                      npm   3.0.2         3.0.2                  
     file-uri-to-path                            npm   1.0.0         1.0.0                  
     findit2                                     npm   2.2.3         2.2.3                  
     form-data                                   npm   2.5.5         2.5.5                  
     fs-minipass                                 npm   2.1.0         2.1.0                  
     fs.realpath                                 npm   1.0.0         1.0.0                  
     function-bind                               npm   1.1.2         1.1.2                  
     gauge                                       npm   3.0.2         3.0.2                  
     gaxios                                      npm   6.7.1         6.7.1                  
     gcp-metadata                                npm   6.1.0         6.1.0                  
     get-caller-file                             npm   2.0.5         2.0.5                  
     get-intrinsic                               npm   1.3.0         1.3.0                  
     get-proto                                   npm   1.0.1         1.0.1                  
     glob                                        npm   7.2.3         7.2.3                  
     google-auth-library                         npm   9.14.1        9.14.1                 
     google-gax                                  npm   4.4.1         4.4.1                  
     gopd                                        npm   1.2.0         1.2.0                  
     graceful-fs                                 npm   4.2.10        4.2.10                 
     gtoken                                      npm   7.1.0         7.1.0                  
     has-symbols                                 npm   1.1.0         1.1.0                  
     has-tostringtag                             npm   1.0.2         1.0.2                  
     has-unicode                                 npm   2.0.1         2.0.1                  
     hasown                                      npm   2.0.2         2.0.2                  
     html-entities                               npm   2.5.2         2.5.2                  
     http-proxy-agent                            npm   5.0.0         5.0.0                  
     https-proxy-agent                           npm   7.0.5         7.0.5                  
  ↑  icu-data-en                                 apk   76.1-r1       74.2-r1                
  ↑  icu-libs                                    apk   76.1-r1       74.2-r1                
     import-in-the-middle                        npm   2.0.0         2.0.0                  
     inflight                                    npm   1.0.6         1.0.6                  
     inherits                                    npm   2.0.4         2.0.4                  
     is-fullwidth-code-point                     npm   3.0.0         3.0.0                  
     is-obj                                      npm   2.0.0         2.0.0                  
     is-stream                                   npm   2.0.1         2.0.1                  
     js2xmlparser                                npm   4.0.2         4.0.2                  
     jsdoc                                       npm   3.6.11        3.6.11                 
     json-bigint                                 npm   1.0.0         1.0.0                  
     jwa                                         npm   2.0.0         2.0.0                  
     jws                                         npm   4.0.0         4.0.0                  
     klaw                                        npm   3.0.0         3.0.0                  
  +  libapk2                                     apk   2.14.9-r3                            
  -  libbase64                                   apk                 0.5.2-r0               
  ↑  libcrypto3                                  apk   3.5.4-r0      3.3.2-r0               
  ↑  libgcc                                      apk   14.2.0-r6     13.2.1_git20240309-r1  
  ↑  libssl3                                     apk   3.5.4-r0      3.3.2-r0               
     │   +  Dockerfile (30:30)  
     │   +  FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412                                                         
     │   -  Dockerfile (30:30)  
     │   -  FROM alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a                                                         
     │   
     ├─  -  HIGH         CVE-2025-9230   [https://scout.docker.com/v/CVE-2025-9230]        
     │                   7.5    
     ├─  -  MEDIUM       CVE-2025-9231   [https://scout.docker.com/v/CVE-2025-9231]        
     │                   6.5    
     ├─  -  MEDIUM       CVE-2024-12797  [https://scout.docker.com/v/CVE-2024-12797]      
     │                   6.3    
     ├─  -  MEDIUM       CVE-2025-9232   [https://scout.docker.com/v/CVE-2025-9232]        
     │                   5.9    
     ├─  -  MEDIUM       CVE-2024-9143   [https://scout.docker.com/v/CVE-2024-9143]        
     │                   4.3    
     └─  -  MEDIUM       CVE-2024-13176  [https://scout.docker.com/v/CVE-2024-13176]      
                         4.1    
  
  ↑  libstdc++                                   apk   14.2.0-r6     13.2.1_git20240309-r1  
     linkify-it                                  npm   3.0.3         3.0.3                  
     lodash                                      npm   4.17.21       4.17.21                
     lodash.camelcase                            npm   4.3.0         4.3.0                  
     lodash.merge                                npm   4.6.2         4.6.2                  
     lodash.sortby                               npm   4.7.0         4.7.0                  
     long                                        npm   5.3.2         5.3.2                  
     lru-cache                                   npm   6.0.0         6.0.0                  
     make-dir                                    npm   3.1.0         3.1.0                  
     markdown-it                                 npm   12.3.2        12.3.2                 
     markdown-it-anchor                          npm   8.6.4         8.6.4                  
     marked                                      npm   4.0.19        4.0.19                 
     math-intrinsics                             npm   1.1.0         1.1.0                  
     mdurl                                       npm   1.0.1         1.0.1                  
     mime-db                                     npm   1.52.0        1.52.0                 
     mime-types                                  npm   2.1.35        2.1.35                 
     minimatch                                   npm   3.1.2         3.1.2                  
     minipass                                    npm   3.3.6         3.3.6                  
     minizlib                                    npm   2.1.2         2.1.2                  
     mkdirp                                      npm   1.0.4         1.0.4                  
     module-details-from-path                    npm   1.0.3         1.0.3                  
     ms                                          npm   2.1.3         2.1.3                  
  ↑  musl                                        apk   1.2.5-r10     1.2.5-r0               
     │   +  Dockerfile (30:30)  
     │   +  FROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412                                                         
     │   -  Dockerfile (30:30)  
     │   -  FROM alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a                                                         
     │   
     └─  -  HIGH         CVE-2025-26519  [https://scout.docker.com/v/CVE-2025-26519]         
                         8.1    
  
  ↑  musl-utils                                  apk   1.2.5-r10     1.2.5-r0               
     nan                                         npm   2.17.0        2.17.0                 
  ↑  nghttp2-libs                                apk   1.65.0-r0     1.62.1-r0              
     node-fetch                                  npm   2.7.0         2.7.0                  
  ↑  nodejs                                      apk   22.16.0-r2    20.15.1-r0             
     │   +  Dockerfile (32:32)  
     │   +  RUN apk add --no-cache nodejs                                                                                                                      
     │   -  Dockerfile (32:32)  
     │   -  RUN apk add --no-cache nodejs                                                                                                                      
     │   
     ├─  -  CRITICAL     CVE-2024-3566   [https://scout.docker.com/v/CVE-2024-3566]    
     │                   9.8    
     └─  -  MEDIUM       CVE-2025-23084  [https://scout.docker.com/v/CVE-2025-23084]  
                         5.5    
  
     nopt                                        npm   5.0.0         5.0.0                  
     npmlog                                      npm   5.0.1         5.0.1                  
     nw-pre-gyp-module-test                      npm   0.0.1         0.0.1                  
     object-assign                               npm   4.1.1         4.1.1                  
     object-hash                                 npm   3.0.0         3.0.0                  
     on-exit-leak-free                           npm   2.1.0         2.1.0                  
     on-finished                                 npm   2.4.1         2.4.1                  
     once                                        npm   1.4.0         1.4.0                  
     p-limit                                     npm   3.1.0         3.1.0                  
     parse-ms                                    npm   2.1.0         2.1.0                  
     path-is-absolute                            npm   1.0.1         1.0.1                  
     paymentservice                              npm   0.0.1         0.0.1                  
     pino                                        npm   10.1.0        10.1.0                 
     pino-abstract-transport                     npm   2.0.0         2.0.0                  
     pino-std-serializers                        npm   7.0.0         7.0.0                  
     pprof                                       npm   4.0.0         4.0.0                  
     pretty-ms                                   npm   7.0.1         7.0.1                  
     process-warning                             npm   5.0.0         5.0.0                  
     proto3-json-serializer                      npm   2.0.2         2.0.2                  
     protobufjs                                  npm   7.5.4         7.5.4                  
     pump                                        npm   3.0.0         3.0.0                  
     pumpify                                     npm   2.0.1         2.0.1                  
     punycode                                    npm   2.3.1         2.3.1                  
     quick-format-unescaped                      npm   4.0.4         4.0.4                  
     readable-stream                             npm   3.6.2         3.6.2                  
     real-require                                npm   0.2.0         0.2.0                  
     require-directory                           npm   2.1.1         2.1.1                  
     require-in-the-middle                       npm   8.0.0         8.0.0                  
     requizzle                                   npm   0.2.3         0.2.3                  
     retry-request                               npm   7.0.2         7.0.2                  
     rimraf                                      npm   3.0.2         3.0.2                  
     safe-buffer                                 npm   5.2.1         5.2.1                  
     safe-stable-stringify                       npm   2.4.1         2.4.1                  
  ↑  scanelf                                     apk   1.3.8-r1      1.3.7-r2               
     semver                                      npm   7.5.4         7.5.4                  
     set-blocking                                npm   2.0.0         2.0.0                  
     signal-exit                                 npm   3.0.7         3.0.7                  
  +  simdjson                                    apk   3.12.0-r0                            
  +  simdutf                                     apk   7.2.1-r0                             
     simple-card-validator                       npm   1.1.0         1.1.0                  
     sonic-boom                                  npm   4.0.1         4.0.1                  
     source-map                                  npm   0.8.0-beta.0  0.8.0-beta.0           
     split                                       npm   1.0.1         1.0.1                  
     split2                                      npm   4.1.0         4.1.0                  
  +  sqlite-libs                                 apk   3.49.2-r1                            
  ↑  ssl_client                                  apk   1.37.0-r19    1.36.1-r29             
     stream-events                               npm   1.0.5         1.0.5                  
     stream-shift                                npm   1.0.1         1.0.1                  
     string-width                                npm   4.2.3         4.2.3                  
     string_decoder                              npm   1.3.0         1.3.0                  
     strip-ansi                                  npm   6.0.1         6.0.1                  
     strip-json-comments                         npm   3.1.1         3.1.1                  
     stubs                                       npm   3.0.0         3.0.0                  
     taffydb                                     npm   2.6.2         2.6.2                  
     tar                                         npm   6.1.12        6.1.12                 
     teeny-request                               npm   9.0.0         9.0.0                  
     thread-stream                               npm   3.0.1         3.0.1                  
     through                                     npm   2.3.8         2.3.8                  
     tmp                                         npm   0.2.1         0.2.1                  
     tr46                                        npm   1.0.1         1.0.1                  
     transport                                   npm   0.0.1         0.0.1                  
     uc.micro                                    npm   1.0.6         1.0.6                  
     underscore                                  npm   1.13.4        1.13.4                 
     util-deprecate                              npm   1.0.2         1.0.2                  
     uuid                                        npm   9.0.1         9.0.1                  
     webidl-conversions                          npm   4.0.2         4.0.2                  
     whatwg-url                                  npm   7.1.0         7.1.0                  
     wide-align                                  npm   1.1.5         1.1.5                  
     wrap-ansi                                   npm   7.0.0         7.0.0                  
     wrappy                                      npm   1.0.2         1.0.2                  
     xmlcreate                                   npm   2.0.4         2.0.4                  
     y18n                                        npm   5.0.8         5.0.8                  
     yallist                                     npm   4.0.0         4.0.0                  
     yargs                                       npm   17.7.2        17.7.2                 
     yargs-parser                                npm   21.1.1        21.1.1                 
     yocto-queue                                 npm   0.1.0         0.1.0                  
  ↑  zlib                                        apk   1.3.1-r2      1.3.1-r1               
  +  zstd-libs                                   apk   1.5.7-r0

[mathieu-benoit]

Hi @bourgeoisor and team, ready for your review, thanks!

[bourgeoisor]

LGTM, superb work, thank you Mathieu!

[BrizoSec]

Yeah, good version bumps. Thanks for covering.