The customer need to use the latest available stacks (such as tiny, base, ...) for the most up-to-date CVE fixes.
Use Tiny Stack as an example, customers tried to update the Tanzu Tiny Stack for Ubuntu 22.04 from v0.1.97 to v0.1.109 with command "kp clusterstack update <stack-name> \ --build-image <location of build-image> \ --run-image <location of run-image>", but checking the clusterstack tiny-jammy with command "kubectl get clusterstack tiny-jammy -o yaml", it still shows v0.1.97.
Since the customer used the TAP profile-based installation, any manual changes to the pre-defined builders will be eventually reverted and overwritten by the carvel package. Upgrading the stacks individually through the "kp cli" is no longer possible.
Here are 2 options to update the stack:
Option 1: Upgrade the full dependencies package or upgrade TAP version.
Suggest the customer to run "tanzu package repository list --namespace tap-install", and
Option 2: Use dependency updater to do automatic dependency updates
With using the dependency updater, the stack version is no longer controlled by full-deps and will be updated by the deps-updater to the latest version always. The dependency updater releases roughly as soon as new stacks release. And it can be configured to update stacks only, or both buildpacks and stacks.
For details, please refer doc: https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-application-platform/1-12/tap/tanzu-build-service-dependencies.html#update-out-of-band