Skip to content

Set --default-toolchain, use --locked and re-build#183

Merged
zhuofuAMZ merged 1 commit intoawslabs:mainfrom
alvarobartt:main
Mar 11, 2026
Merged

Set --default-toolchain, use --locked and re-build#183
zhuofuAMZ merged 1 commit intoawslabs:mainfrom
alvarobartt:main

Conversation

@alvarobartt
Copy link
Copy Markdown
Contributor

Description of changes:

This PR re-builds the Dockerfile for Text Embeddings Inference v1.8.0 and v1.8.2 as per the recently reported CVEs, and in the process identifies an issue with the rust-toolchain.toml being missing which was preventing us from re-building the given Dockerfiles on earlier versions (see huggingface/text-embeddings-inference#842).

Additionally, this PR also adds the --locked flag in the chef cook and cargo build commands to ensure that the Cargo.lock file is used, ensuring that the image will still build anytime in the future.

Then, as per CVE patching, re-building and pushing to AWS EC2 and scanning with AWS Inspector, shows that there are no vulnerabilities at all in neither of those after re-building.

Finally, note that the CPU Dockerfiles didn't need to modify anything given that those were not affected by the rust-toolchain.toml as we're using the rustc version installed on the base image, which didn't change.

TL;DR Re-building fixed all the existing CVEs on all the reported containers, as of March 06, 2026, ~14:00:00 (UTC+01).


By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@alvarobartt alvarobartt requested a review from a team as a code owner March 11, 2026 19:53
@zhuofuAMZ zhuofuAMZ merged commit 3738c3b into awslabs:main Mar 11, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants