I am using the following langgraph.json in my simple deployment:
...
"python_version": "3.13",
"image_distro": "wolfi",
...
However, JFrow image scan shows several CVEs in the resulting image (which is also normal).
My question is: is it possible to fix SHA of the base wolfi image?
Hello @cryoff welcome to langchain community.
You cannot “fix” or pin the raw Wolfi base SHA through langgraph.json alone. You control the LangGraph platform image (api_version, base_image, image_distro) and your final application image (build flags, private registry + digest). For Cloud deployments, underlying OS updates are managed by the platform when you rebuild.
{
"$schema": "https://langgra.ph/schema.json",
"dependencies": ["."],
"graphs": { "chat": "chat.graph:graph" },
"python_version": "3.13",
"image_distro": "wolfi",
"api_version": "0.3"
}
See Pinning API version. On Cloud, builds default to the latest stable server unless you set api_version.
base_image (pins the LangGraph image, not the raw Wolfi distro):{
"base_image": "langchain/langgraph-api:3.13"
}
Thank you @keenborder786 for the answer!
Do you know the update policy for the image updates?
I am wondering because an images here langchain/langgraph-api - Docker Image have tags like 3.13-wolfi (which I think are used when langgraph build works) - but the image itself is still subject to change.
Anyway, thank you for the extended answer - I will fix the api_version - so hopefully having more reproducible builds then.