Skip to content

fix: pin critical package versions for security #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: pin critical package versions for security #267

wants to merge 1 commit into from
+430 −251

Conversation

krljakob
Copy link

@krljakob krljakob commented Jul 2, 2025

  • Pin versions for 18 security-critical packages across 90 projects
  • Focus on high-impact packages: streamlit, openai, anthropic, requests, etc.
  • Addresses supply chain security vulnerabilities from unpinned dependencies
  • Maintains compatibility with existing functionality

Security packages pinned:

  • streamlit==1.41.1 (CVE prevention)
  • openai==1.58.1 (API security)
  • anthropic==0.39.0 (API security)
  • requests==2.32.3 (HTTP security)
  • urllib3==2.2.3 (URL parsing security)
  • pydantic==2.10.5 (data validation)
  • sqlalchemy==2.0.36 (SQL injection prevention)
  • pillow==11.0.0 (image processing security)

This is the first step in securing the repository's dependency chain.

@ursisterbtw
fix: pin critical package versions for security
c070ed9 
- Pin versions for 18 security-critical packages across 90 projects
- Focus on high-impact packages: streamlit, openai, anthropic, requests, etc.
- Addresses supply chain security vulnerabilities from unpinned dependencies
- Maintains compatibility with existing functionality

Security packages pinned:
- streamlit==1.41.1 (CVE prevention)
- openai==1.58.1 (API security)
- anthropic==0.39.0 (API security)
- requests==2.32.3 (HTTP security)
- urllib3==2.2.3 (URL parsing security)
- pydantic==2.10.5 (data validation)
- sqlalchemy==2.0.36 (SQL injection prevention)
- pillow==11.0.0 (image processing security)

This is the first step in securing the repository's dependency chain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@krljakob @Shubhamsaboo @ursisterbtw