In Minimus, the package update process is independent of the vulnerability patching process. A new package is built as soon as an update is detected upstream in the source code. Once a day, an updated image is built from all the latest packages available. As a result, all new features, vulnerability patches and bug fixes are available on a daily basis. Learn more about Minimus architecture

Advisory fix date vs. image fix date

The advisory fix date is based on the package fix date and it can differ from the image fix date. This can happen for several reasons. Below are a few examples of typical cases.

Package fixed but image build is still pending

Minimus packages are updated on a continuous basis that is independent from the vulnerability remediation process. As a result, package updates are published as soon as an update is available upstream. New images, on the other hand, are published on a daily basis. Consequently, an advisory may show the fixed status when the fixed package is already available but before the fixed image is released. Advisory Pending Image Build Once the image is released, the changelog is updated accordingly. For example, the above image shows that CVE-2025-48924 was fixed in the Cassandra package on July 13 2025. The image below shows that the fixed image was released a few hours later, on July 14 2025. (Link to advisory and changelog.) Image Fix Date

Image fixed before the advisory was published

Coordinated disclosure & silent patching can result in an image fix date that is earlier than the advisory update. For example, Go v1.24.4 released a silent patch for CVE-2025-22874. Here is the order of events:
DateEvent
June 5 2025Go package version 1.24 was released (version 1.24.4-r0). See Go tag release notice
June 8 2025Minimus released the updated Go image v1.24.4 with the timestamp tag 1.24.4-202506080715. See Go image digest history
June 11 2025CVE-2025-22874 was published by the Go vulnerability database and NVD.
At the time that the advisory was published, the Minimus Go image was already fixed.
June 15 2025The last update time for the Minimus advisory for CVE-2025-22874. It shows the fixed package version and image version information. See Minimus advisory for CVE-2025-22874.
The date comes from the advisory, not the fix date of the package or the image, which were earlier.
In this case, the Minimus image changelog was retroactively updated to show the information about the fixed vulnerability. The fix date for CVE-2025-22874 is shown as June 8 2025, the original release date of the image - 4 days before the CVE was published. See changelog for Go v.1.24. The above example is known as a “silent fix” or “silent patch” because the fix predates the vulnerability disclosure. This means the fixed package is released before the vulnerability advisory is publicly disclosed. Since Minimus publishes image updates as soon as package updates are available, this guarantees that the fixed image is available to you before the advisory is publicly disclosed. Coordinated disclosure with a silent fix happens when a vulnerability is confidentially reported to the project maintainers, allowing them to develop and release the fix before the vulnerability is made public. The fixed image is “silently” published several days ahead of the advisory to give users time to upgrade and narrow the window for exploitation by bad actors.