etienne

hey @jfutey You can reach out to the team through security@supabase.io. Our focus is to burn down potential risk without impacting performance and stability. This is done in a methodical manner, where each vulnerability is evaluated on reachability and actual risk. For example, if a scan reports [CVE-2023-24538](https://github.com/advisories/GHSA-v4m2-x4rp-hv22) – Go stdlib v1.18.2, as a critical, we will examine where and how Go is used in the image. And if the reported vulnerability is at all reachable in our use of the library. In the case of this particular CVE, we do not use templating anywhere or have any direct Go based processes in the Docker image. With exploitability determined to be zero, it pushes us towards evaluating the purpose of Go within the image and how we can remove it completely instead of focusing on an update. That leaves us at the current state, where the team is working on reducing the overall surface area of the Docker images, stripping down to the required minimum to have small, fast and secure images. We are behind on our targets for accomplishing this, but we do feel the effort put into ensuring this is done right outweighs any current risk within the Docker images.