Skip to content

security: pin all Python dependencies to exact versions#444

Merged
neoneye merged 1 commit intomainfrom
fix/pin-all-dependencies
Mar 29, 2026
Merged

security: pin all Python dependencies to exact versions#444
neoneye merged 1 commit intomainfrom
fix/pin-all-dependencies

Conversation

@neoneye
Copy link
Copy Markdown
Member

@neoneye neoneye commented Mar 29, 2026

Summary

  • Pin all 17 remaining unpinned Python dependencies (using >=) to exact versions (==)
  • Prevents supply chain attacks where a compromised package version auto-installs on next deploy
  • Dependabot continues to propose version bumps via PRs, so updates are still easy to review

Files changed

File Deps pinned Examples
frontend_multi_user/pyproject.toml 12 flask, authlib, stripe, gunicorn, etc.
worker_plan/pyproject.toml 1 json_repair
worker_plan_database/requirements.txt 4 flask-sqlalchemy, psycopg2-binary, etc.
open_dir_server/requirements.txt 1 python-multipart

Motivation

The recent litellm supply chain attack (compromised version live for ~3 hours) highlighted the risk of >= constraints. With >=, any pip install or Docker build silently pulls the latest version — including a malicious one. Exact pins ensure only reviewed versions are installed.

Test plan

  • CI passes
  • Verify Railway deployment still works after merge

🤖 Generated with Claude Code

@neoneye @claude
security: pin all Python dependencies to exact versions
0f38660 
Replace >= constraints with == pins across 4 files to prevent
supply chain attacks (a malicious package version auto-installing
on next deploy/build).

- frontend_multi_user/pyproject.toml: 12 deps pinned
- worker_plan/pyproject.toml: json_repair pinned
- worker_plan_database/requirements.txt: 4 deps pinned
- open_dir_server/requirements.txt: python-multipart pinned

Dependabot will still propose version bumps via PRs, so updates
remain easy to review and approve individually.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@neoneye neoneye merged commit e8bf85c into main Mar 29, 2026
3 checks passed
@neoneye neoneye deleted the fix/pin-all-dependencies branch March 29, 2026 13:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@neoneye