Make more secure grist images #42
Description
As soon as grist-core have a new release (1.4.3 ?) this PR can be removed draft state and be merged.
We have to wait for this release cause the PR need segragation between dev Dependencies et prod dependencies introduces by this commit.
This future images are more secure because :
- They remove python2 from our images
- They remove many vulns from OS layer because we are now Alpine based
- They remove sanboxes that we don't use (pyodide)
Also they have the advantage to:
- Be lighter thanks to Alpine
- Compile a little faster as we no longer compile tests
Thanks to this new images know vulns in images drop from ~200 to 65.
Last efforts to be done:
- Compile runsc (for gvisor sandbox) with a more modern version of go stdlib (-64 vulns)
- Update redis dependencies (-1 vuln)
That would lead to a 0 known vuln image.