From 5a1aad21211b0da8468847f1bc27ee8103f4fc3c Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Thu, 5 Mar 2026 09:18:02 -0800 Subject: [PATCH] fix: harden pip install against supply chain attacks - Expand requirements.txt via pip-compile to pin all transitive dependencies - Add --no-deps to Dockerfile pip install to prevent runtime dep resolution Resolves pip-install-no-hash-check security alert. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Dockerfile | 2 +- requirements.txt | 29 ++++++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4d54ad1..d319024 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,7 @@ LABEL com.github.actions.name="contributors" \ WORKDIR /action/workspace COPY requirements.txt *.py /action/workspace/ -RUN python3 -m pip install --no-cache-dir -r requirements.txt \ +RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \ && apt-get -y update \ && apt-get -y install --no-install-recommends git=1:2.47.3-0+deb13u1 \ && rm -rf /var/lib/apt/lists/* diff --git a/requirements.txt b/requirements.txt index 24dd6ed..24e4f37 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,30 @@ -github3.py==4.0.1 +certifi==2026.2.25 + # via requests +cffi==2.0.0 + # via cryptography +charset-normalizer==3.4.4 + # via requests +cryptography==46.0.5 + # via pyjwt +github3-py==4.0.1 + # via -r requirements.txt +idna==3.11 + # via requests +pycparser==3.0 + # via cffi +pyjwt==2.11.0 + # via github3-py +python-dateutil==2.9.0.post0 + # via github3-py python-dotenv==1.2.1 + # via -r requirements.txt requests==2.32.5 + # via + # -r requirements.txt + # github3-py +six==1.17.0 + # via python-dateutil +uritemplate==4.2.0 + # via github3-py +urllib3==2.6.3 + # via requests