fix(deps): add pip-tools lockfile with hash pinning - VC-53681 [Logos] (#199)

ndevarapalli-panw · web-flow · commit 5de41a8a8452 · 2026-06-17T13:48:09.000-07:00
* fix(deps): add pip-tools lockfile with hash pinning — VC-53681

Introduces requirements.in and requirements-build.in as pip-tools source
manifests. requirements.txt and requirements-build.txt are now fully
hash-pinned lockfiles generated with pip-compile --generate-hashes,
covering all transitive dependencies with SHA-256 hashes.

Generated using Python 3.9 to ensure compatibility with the project's
supported Python versions (3.9, 3.10). No package versions were changed —
this purely adds auditability of transitive dependencies.

* deps: address review feedback and fix safety regression

* deps: address follow-up review findings
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1,2 @@
+requirements.txt linguist-generated=true
+requirements-build.txt linguist-generated=true
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,11 @@
-FROM python:3
+FROM python:3.9-slim
 
 WORKDIR /usr/src/app
 
-COPY requirements.txt ./
 COPY requirements-build.txt ./
 COPY docker-entrypoint.sh ./
-RUN pip install --no-cache-dir -r requirements.txt
-RUN pip install --no-cache-dir -r requirements-build.txt
+RUN pip install --no-cache-dir --require-hashes -r requirements-build.txt
 
 COPY . .
 
-CMD [ "./docker-entrypoint.sh" ]
+CMD [ "./docker-entrypoint.sh" ]
diff --git a/Makefile b/Makefile
@@ -1,5 +1,15 @@
 .EXPORT_ALL_VARIABLES:
 PYTHONPATH=./:$PYTHONPATH
+PIP_TOOLS_VERSION=7.5.3
+
+.PHONY: lock test publish
+
+lock:
+	docker run --rm -v "$$(pwd)":/work -w /work python:3.9 \
+	  sh -c "pip install pip-tools==$(PIP_TOOLS_VERSION) && \
+	         pip-compile --generate-hashes --output-file requirements.txt requirements.in && \
+	         pip-compile --generate-hashes --output-file requirements-build.txt requirements-build.in && \
+	         chown $$(id -u):$$(id -g) requirements.txt requirements-build.txt"
 
 test:
 	docker build -t vcert-tests .
diff --git a/README.md b/README.md
@@ -105,6 +105,14 @@ NOTE: While developing with vcert-python, it is helpful if you are using a virtu
 install the vcert-python library from source in development mode with `pip install --editable`.
 See https://packaging.python.org/guides/installing-using-pip-and-virtual-environments/
 
+### Managing dependencies
+
+`requirements.txt` and `requirements-build.txt` are generated by [pip-tools](https://github.com/jazzband/pip-tools) and contain hash-pinned transitive dependencies. Do not edit them directly. To add or update a dependency:
+
+1. Edit `requirements.in` (runtime) or `requirements-build.in` (build/test)
+2. Run `make lock` to regenerate the lockfiles (requires Docker)
+3. Commit both the `.in` and `.txt` files together
+
 ## Version History
 
 [Check version history here](https://github.com/Venafi/vcert-python/blob/master/docs/version_history.md)
diff --git a/requirements-build.in b/requirements-build.in
@@ -0,0 +1,5 @@
+-r requirements.in
+pytest==7.4.3
+pytest-cov==4.1.0
+safety==2.3.5
+bandit==1.7.7
diff --git a/requirements-build.txt b/requirements-build.txt
diff --git a/requirements.in b/requirements.in
@@ -0,0 +1,6 @@
+requests==2.32.4
+python-dateutil==2.8.2
+cryptography==45.0.7
+six==1.17.0
+ruamel.yaml==0.18.13
+pynacl==1.5.0
diff --git a/requirements.txt b/requirements.txt

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+requirements.txt linguist-generated=true`
	`2`	`+requirements-build.txt linguist-generated=true`