From aac8d4dd0e0b5decf6b4062e577762cebe98de30 Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Fri, 29 May 2026 20:19:08 -0400
Subject: [PATCH] fix(security): remove unused openssh-client from Docker image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

openssh-client was never used — uptop uses pure Go SSH via
charmbracelet/ssh. Removing it eliminates CVE-2026-25680,
CVE-2026-35386, CVE-2026-35387, and CVE-2026-35388.
---
 Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f34cf5c..3dbab66 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,8 +17,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 # --- Stage 2: Runner ---
 FROM alpine:3.23
 WORKDIR /app
-RUN apk add --no-cache ca-certificates openssh-client
-RUN apk upgrade --no-cache
+RUN apk add --no-cache ca-certificates && apk upgrade --no-cache
 RUN mkdir /data
 
 COPY --from=builder /app/uptop .