From 18d518b47a6b115f73c9185dd75b6402be530f02 Mon Sep 17 00:00:00 2001
From: codex <codex@bstein.dev>
Date: Tue, 21 Apr 2026 23:59:48 -0300
Subject: [PATCH] security(ariadne): harden image and bump jwt

---
 Dockerfile       | 3 ++-
 Dockerfile.base  | 7 ++++++-
 Dockerfile.ci    | 6 +++++-
 requirements.txt | 2 +-
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c392415..db6d46c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,8 +5,9 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 
 WORKDIR /app
 
-COPY ariadne /app/ariadne
+COPY --chown=ariadne:ariadne ariadne /app/ariadne
 
 EXPOSE 8080
 
+USER ariadne
 CMD ["uvicorn", "ariadne.app:app", "--host", "0.0.0.0", "--port", "8080"]
diff --git a/Dockerfile.base b/Dockerfile.base
index 175c16c..9679ab9 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -6,4 +6,9 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app
 
 COPY requirements.txt /app/requirements.txt
-RUN pip install --no-cache-dir -r /app/requirements.txt
+RUN pip install --no-cache-dir -r /app/requirements.txt && \
+    addgroup --system ariadne && \
+    adduser --system --ingroup ariadne --home /app ariadne && \
+    chown -R ariadne:ariadne /app
+
+USER ariadne
diff --git a/Dockerfile.ci b/Dockerfile.ci
index 904fe86..a3c1884 100644
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@@ -1,6 +1,10 @@
 FROM registry.bstein.dev/bstein/ariadne-base:py312
 
+USER root
 WORKDIR /app
 
 COPY requirements-dev.txt /app/requirements-dev.txt
-RUN pip install --no-cache-dir -r /app/requirements-dev.txt
+RUN pip install --no-cache-dir -r /app/requirements-dev.txt && \
+    chown -R ariadne:ariadne /app
+
+USER ariadne
diff --git a/requirements.txt b/requirements.txt
index c0b0d9b..7acc075 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,7 +2,7 @@ fastapi==0.115.11
 uvicorn[standard]==0.30.6
 httpx==0.27.2
 kubernetes==30.1.0
-PyJWT[crypto]==2.10.1
+PyJWT[crypto]==2.12.1
 psycopg[binary]==3.2.6
 psycopg-pool==3.2.6
 croniter==2.0.7