Bump php:8.5-alpine base digest to patch curl/libxml2/xz/nghttp2 CVEs

[loks0n]

What

Bump the pinned php:8.5-alpine base image digest from dccc3abc… to 3cfccf28….

Why

The pinned base shipped vulnerable OS packages flagged by the Trivy scan. Upstream rebuilt php:8.5-alpine (still Alpine 3.23.4) with the patched versions, so a digest bump clears every open alert:

Package	Was	Now	CVEs cleared
curl/libcurl	8.17.0-r1	8.19.0-r0	CVE-2026-1965/3783/3784/3805, CVE-2025-14017/14524/14819
libxml2	2.13.9-r0	2.13.9-r1	CVE-2026-6732 (HIGH)
nghttp2-libs	1.68.0-r0	1.69.0-r0	CVE-2026-27135 (HIGH)
xz/xz-libs	5.8.2-r0	5.8.3-r0	CVE-2026-34743

Verified by inspecting both digests directly (apk info -v).

Approach note

Bumping the pinned digest is preferred over re-adding apk upgrade: it patches the CVEs while keeping builds reproducible, rather than floating package versions at build time. Since pinning makes OS-package patching a manual step, the weekly Trivy scan is the natural trigger to bump the digest — worth considering a scheduled digest-bump if these alerts recur often.

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR bumps the pinned php:8.5-alpine base image digest to pull in upstream Alpine 3.23.4 rebuilds that ship patched versions of curl/libcurl, libxml2, nghttp2-libs, and xz, clearing seven CVEs flagged by Trivy.

• Dockerfile: Single-line digest change from dccc3abc… to 3cfccf28…; no build logic altered.
• tests.yaml: PHP version assertion loosened from PHP 8.5.5 (cli)* to PHP 8.5.* (cli)* so the test survives future digest bumps that may ship a different 8.5.x patch.

Confidence Score: 5/5

Safe to merge — the change is a pure digest bump that replaces vulnerable OS packages with patched versions and makes one test assertion less brittle.

The Dockerfile change is a one-line digest swap with no build-logic alterations. The test change correctly widens the PHP version match to accommodate any 8.5.x patch, which is a reasonable trade-off given this image is pinned by digest rather than by PHP version.

No files require special attention.

Important Files Changed

Filename	Overview
Dockerfile	Bumps the pinned php:8.5-alpine base image digest to patch curl/libcurl, libxml2, nghttp2-libs, and xz CVEs; no structural change to the build.
tests.yaml	Relaxes the PHP version assertion from an exact patch-level match ("PHP 8.5.5") to a wildcard ("PHP 8.5.*") to remain valid across future digest bumps.

_{Reviews (2): Last reviewed commit: "Loosen PHP version structure test to 8.5..." | Re-trigger Greptile}