While upgrading to the stable 3.14.0-alpine tag is a good security improvement, for better build reproducibility and to guard against tag mutability, it's a best practice to pin the base image to its immutable digest (a SHA256 hash).

This guarantees that you are always using the exact same base image for your builds, preventing unexpected changes or vulnerabilities that could be introduced if the tag is updated upstream.

You can find the digest for the image by running:

1. docker pull python:3.14.0-alpine
2. docker images --digests python

The FROM line would then be updated to include the digest, like so:

FROM python:3.14.0-alpine@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

✅ Security Enhancement: This upgrade from Python 3.14.0rc1-alpine to 3.14.0-alpine is a positive security improvement. Moving from a release candidate to the stable release ensures you're using a production-ready version with the latest security patches. The change addresses multiple OpenSSL vulnerabilities (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232) that were present in the Alpine base image of the release candidate version.

💡 Best Practice Recommendation: Consider pinning to a more specific version tag for better reproducibility and security. Instead of using 3.14.0-alpine, consider using the full digest or a more specific tag like 3.14.0-alpine3.20 to ensure consistent builds across environments and prevent potential supply chain attacks. This helps prevent potential supply chain attacks and ensures consistent builds across different environments and time periods.

🔍 Testing Recommendation: Before merging, verify that Python 3.14.0 stable is fully compatible with your application dependencies. Since this upgrades from a release candidate to stable, there might be subtle behavioral differences. Run your test suite against this new base image to ensure compatibility, especially with packages that have native extensions.