[Snyk] Security upgrade python from 3.9 to 3.14.3

[ashmuck]

Snyk has created this PR to fix 5 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:3.14.3, as this image has only 289 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Heap-based Buffer Overflow SNYK-DEBIAN13-IMAGEMAGICK-15339557	786
	Stack-based Buffer Overflow SNYK-DEBIAN13-IMAGEMAGICK-15339582	786
	Use After Free SNYK-DEBIAN13-IMAGEMAGICK-15339593	786
	Out-of-bounds Read SNYK-DEBIAN13-IMAGEMAGICK-15339597	786
	Heap-based Buffer Overflow SNYK-DEBIAN13-IMAGEMAGICK-15339648	786

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Heap-based Buffer Overflow
🦉 Use After Free
🦉 Out-of-bounds Read

---

Note

Medium Risk
Changes the GitHub Actions container runtime from Python 3.9 to 3.14.3, which can introduce compatibility issues for dependencies or tooling. Scope is limited to CI/container build behavior and should be validated by running the workflow end-to-end.

Overview
Updates the GitHub Actions Dockerfile base image from python:3.9 to python:3.14.3 to pick up upstream security fixes (and reduce known vulnerabilities).

No other build steps or entrypoints are changed; only the container’s Python runtime/OS image is upgraded.

^{Written by Cursor Bugbot for commit dc6afb2. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Python 3.14 breaks invoke 1.x dependency compatibility

High Severity

Upgrading the base image from python:3.9 to python:3.14.3 breaks the invoke>=1.4.1,<2 dependency. Invoke 1.x uses inspect.getargspec(), which was removed in Python 3.11, causing an AttributeError at import time. Since semantic_release/dist.py and semantic_release/pre_commit.py both do from invoke import run, and cli.py imports from dist.py, the Dockerfile's own build-time check (python -m semantic_release.cli --help) will fail. The fix exists only in invoke 2.0+, which is outside the pinned range <2.