fix: include transitive dependencies to harden against supply chain attacks#435
Merged
fix: include transitive dependencies to harden against supply chain attacks#435
Conversation
zkoppert
force-pushed
the
fix-pip-hash-check
branch
from
fe28d31 to
752812e
Compare
zkoppert
changed the title
zkoppert
force-pushed
the
fix-pip-hash-check
branch
from
752812e to
3761715
Compare
zkoppert
changed the title
Expand requirements.txt to include all transitive dependencies (via pip-compile) and use --no-deps in the Dockerfile to prevent pip from fetching any packages not explicitly listed. This resolves code scanning alert #133 by ensuring only explicitly pinned packages are installed, mitigating supply chain risks from unexpected transitive dependency resolution. The fully-resolved requirements.txt remains dependabot-friendly since each pin can be updated independently. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
zkoppert
force-pushed
the
fix-pip-hash-check
branch
from
3761715 to
1c49b63
Compare
zkoppert
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Pins all Python dependencies (including transitive ones) in requirements.txt and updates the container build to install only those pinned packages, reducing exposure to dependency-resolution changes during builds.
Changes:
- Expanded
requirements.txtto include explicitly pinned transitive dependencies (pip-compile style output). - Updated Docker build to install Python packages with
pip --no-depsto prevent dynamic dependency resolution.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
requirements.txt |
Replaces a short dependency list with a fully pinned set of direct + transitive dependencies. |
Dockerfile |
Enforces pip install --no-deps so only explicitly pinned packages are installed during image build. |
| COPY requirements.txt *.py /action/workspace/ | ||
|
|
||
| RUN python3 -m pip install --no-cache-dir -r requirements.txt \ | ||
| RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \ |
There was a problem hiding this comment.
Because --no-deps is now enforced, the Docker build will no longer resolve any missing/conditional transitive dependencies. To keep builds reliable, ensure requirements.txt is generated for the same interpreter/platform as this image (Python 3.14 slim) so any version-marker differences are captured in the lock file.
Suggested change
| RUN python3 -m pip install --no-cache-dir --no-deps -r requirements.txt \ | |
| RUN python3 -m pip install --no-cache-dir -r requirements.txt \ |
Collaborator
There was a problem hiding this comment.
I think we're good. @zkoppert your change here is the whole point of the change. You're handling it with the requirements.txt changes.
jmeridth
approved these changes
Feb 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves https://github.com/github-community-projects/stale-repos/security/code-scanning/133
Changes
requirements.txtto include all transitive dependencies (generated viapip-compile) so every installed package is explicitly pinned--no-depsto thepip installcommand in the Dockerfile to prevent pip from resolving transitive dependencies at build timeWhy
Without
--no-deps, pip resolves and fetches transitive dependencies dynamically during the Docker build, which opens the door to supply chain attacks if a dependency is compromised between builds. With all deps pinned inrequirements.txtand--no-depsenforced, only explicitly listed packages are installed.Dependabot compatibility
Since all dependencies (including transitive) are listed directly in
requirements.txt, dependabot can still detect and update each pin individually — no separate hashed file to maintain.Testing
make testlocally. All 45 repo tests pass with 95% code coverage (above the 80% threshold).--no-depsinstall — Created a fresh Python virtual environment, ranpip install --no-deps -r requirements.txt, and confirmed all 14 packages installed successfully with no missing dependency errors.--no-depsinstall, verified that every module the application uses (github3,dateutil,dotenv,requests,certifi,urllib3,six,uritemplate,idna,charset_normalizer,cffi,cryptography,jwt,pycparser) imports successfully — confirming no transitive dependencies are missing fromrequirements.txt.