We create a nodejs 18.18 Docker image based on Alpine 3.18.
We include the libraries libssl3 and libcrypto3. By default, it will use the versions 3.1.3-r0, for which our vulnerability scanner reports vulnerabilities which are solved in 3.1.4-r0
Therefore we updated our Dockerfile to add
RUN apk --no-cache add --virtual libcrypto3=3.1.4-r0 libssl3=3.1.4-r0
This worked for a while, until a month later when building an image we got the error
INFO[0008] Running: [/bin/sh -c apk add --no-cache --virtual libssl3=3.1.4-r0]
WARNING: creating empty virtual package
ERROR: unable to select packages:
libssl3-3.1.3-r0:
breaks: world[libssl3=3.1.4-r0]
satisfies: apk-tools-2.14.0-r2[so:libssl.so.3]
this was solved by updating the library versions to 3.1.4-r1
INFO[0007] Running: [/bin/sh -c apk add --no-cache --virtual libssl3=3.1.4-r1]
WARNING: creating empty virtual package
(1/1) Upgrading libssl3 (3.1.3-r0 -> 3.1.4-r1)
But a couple of months later the build failed again
ERROR: unable to select packages:
libssl3-3.1.3-r0:
breaks: world[libssl3=3.1.4-r1]
Now it is fixed again by using version 3.1.4-r5, but I foresee that when there is a new r version, our build will fail again and we'll have to manually update the version of the libray in our Dockerfile.
Why is this happening? How does the upgrade of libraries work?
I'd expect that once we point to a specific library version it should be possible to re-build the images.