Will It Vibe logoWill It Vibe?
DOCKER-018Low severity-4 points

System package installed without a pinned version

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

An apt/apk/yum install names packages with no version pin, so a rebuild can silently install a different version. Heuristic: version pinning is not always practical and can be noisy.

Why it matters

Installing system packages without a version pin means a rebuild can pull a newer package than the one you tested, so an image that built cleanly last month can behave differently today. This check is a heuristic: full version pinning is not always practical and this pattern is common, so it is low severity.

How to fix it

Where reproducibility matters, pin versions in the install (apt-get install -y pkg=1.2.3, apk add --no-cache pkg=1.2.3). Pinning every package can be high-maintenance, so prioritize the ones whose version actually affects your app, and rely on a pinned base image for the rest.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks