dockerfilelint should not recommend against installing security updates by default about dockerfilelint HOT 4 OPEN

According to the Readme you can disable the rules via a config file, if you're bothered by the linter output.

There's a valid reason why it might not be desirable to use apt upgrade etc. By using those you won't know the exact version that gets installed, i.e. you have no version pinning. Therefore you can't get reproducible builds.

In the end, it will depend on what you're trying to achieve, I can think of use cases for both approaches.

from dockerfilelint.

Defaults shift behavior, especially for people who aren’t experts. I’d tend to think that it’d be better not to discourage installing security updates by default and letting the much smaller community of people trying for reproducible builds worry about that along with all of the other details they’re going to need to deal with.

from dockerfilelint.

The problem is also that you can't always upgrade some of the packages inside an unprivileged container.
The Docker documentation about best practices provides some insights, see here: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
Essentially, the recommendation is to use apt-get install -y foo to update automatically. The maintainers of dockerfilelint seem to adhere to the linked best practices, which I don't think is unreasonable.

from dockerfilelint.

@svl7 the above mentioned part of the Docker documentation was recently removed: docker/docs#12571

from dockerfilelint.