#Unit Tests · Neirda24/GotenbergBundle@07...

or maybe it is docker that is just refusing because not authenticated but that would be weird

I doubt they get overwritten, but I do not know if they expire

That said, I just successfully did docker pull on that exact composer image , so I think the problem lies elsewhere

The runtime does now target a more specific composer image: https://github.com/dagger/dagger/blob/31a84b7ff46f14be1dee88ea0b900b6a5debd1d5/sdk/php/runtime/main.go#L17C1-L18C77

My concern is, the more specific the image, the more frequently it needs manually updating a.k.a. extra maintenance

And failure to keep up to date could leave us exposed to security vulnerabilities

See https://hub.docker.com/_/php/tags?name=8.4.12-alpine

Hmm. That said, I expect locking us in to a specific digest leaves us exposed as is.

I am going to call upon the great sage for advice.

@tight spruce I beseech you, grace us with your divine wisdom. 🙏

What is general practice for runtime images?

Do you lock in to a specific digest and just accept the maintenance burden of updating it?

pretty much 😅

https://github.com/dagger/dagger/blob/d3028d43a5e0c5d8a17a28bade5023768a6d046c/sdk/typescript/runtime/tsdistconsts/consts.go#L3-L15

python does some more clever detection of versioning https://github.com/dagger/dagger/blob/326354416b29e7cb7264a1cb463e1e91267c6d55/sdk/python/runtime/discovery.go#L444-L465

cc @clever cradle @rustic totem who are the sdk experts 😄

😓 Is this the sort of thing we could set Dependabot up to deal with?

so python sort of does this

see https://github.com/dagger/dagger/blob/f96e11ea298b449adaa50c579b98558f35973c9e/sdk/python/runtime/Dockerfile#L3-L3

which is extracted from https://github.com/dagger/dagger/blob/da0eb7bb8c1b30993efa01cdbba2317f15b0669e/sdk/python/runtime/image.go#L104-L131

Yeah I did notice they had a Dockerfile in there when I scouted about

dependabot can pick up on that

Riight... so it handle dockerfiles specifically

and then Python can extract from the Dockerfile

That seems like a sensible way to do it

Updating the image itself isn't really that huge a task, it's more the "You better check regularly" which opens up security to the human factor.

So I think Python SDK tactic is the way to go.

yeah! i would say hook into the dockerfile approach! i would probably:

• extract the dockerfile parser tool into distconsts or something, so that then it can be used in the php module too (otherwise we're just duplicating)
• then add dockerfiles for the php runtime
• then add the dockerfile to dependabot.yml

all you'll need to do is make sure the automated test coverage is good, and we can merge the prs and keep it up to date for you

zero touch 😄

Yeah that's basically what I do on TypeScript.

For Node it's quite simple, I update the runtime to the latest stable major release (LTS) following this table: https://nodejs.org/en/about/previous-releases, but the user can still configure a specific version if he wants too.
For Deno & Bun it has to be done manually tho, I do it whenever a user ask or if a new major release has been pushed.
Basically I try to not do it too often because version bump can create unexpected breaking changes,

I would recommand to:

• keep a stable version on your runtime and only update when its necessary.
• give the user the possibility to configure its image version

I can see your concerns about security vulnerabilities, that's important indeed, however we are always executing the code inside containers so we are less likely to be impacted depending on the issue.

You can also indeed go for the Dockerfile option, that's ideal if you maintain only 1 runtime (harder for TypeScript since I have 3 different one haha)

I can see your concerns about security vulnerabilities, that's important indeed, however we are always executing the code inside containers so we are less likely to be impacted depending on the issue.

That's true

You can also indeed go for the Dockerfile option, that's ideal if you maintain only 1 runtime

Composer is the de facto package manager for PHP, so I plan to keep it as 1 runtime for the foreseeable future.

For Node it's quite simple, I update the runtime to the latest stable major release (LTS) following this table: https://nodejs.org/en/about/previous-releases, but the user can still configure a specific version if he wants too.

However it would probably be good to allow a custom image with a run at your own risk warning, similar to Python

Yup, you can check how we do it in TypeScript too:

https://docs.dagger.io/reference/configuration/modules/#alternative-base-images

Thank you

Also if you got some time, could you review these PHP docs PR: https://github.com/dagger/dagger/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen+draft%3Anone+review%3Arequired+label%3Aarea%2Fdocumentation+PHP

There are a lot of them, I think you're the best person to check them, I'm happy to handle the changes or merge them once you give your approval 🙂

I've reviewed what I can for now, the remaining ones I believe are failing due to limitations of the SDK... That's going to need some time to sort out