build: add uv exclude-newer, pip uploaded-prior-to and Dependabot cooldown as supply chain guardrails#11170
Conversation
…uardrails Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
Coverage Report for CI Build 24773716980Coverage increased (+0.01%) to 92.857%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Extends the supply chain hardening by passing --uploaded-prior-to P1D (pip 26.1 relative duration format) to every pip install <packages> command across CI workflows, so packages published within the last 24 hours are excluded at install time. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
pip 26.0 introduced |
pip 26.1 requires the value to be joined with = rather than a space for the relative duration format to be parsed correctly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
P1D relative duration requires pip>=26.1 (latest as of this commit). CI runners ship with older pip, so each install step now upgrades pip first to ensure the flag is recognised. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
julian-risch
changed the title
Coverage report
This PR does not seem to contain any modification to coverable code. |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
julian-risch
changed the title
julian-risch
requested review from
anakin87 and
bogdankostic
and removed request for
a team and
bogdankostic
| --- | ||
| security: | ||
| - | | ||
| Haystack's uv configuration now excludes packages published within the last | ||
| 24 hours when resolving dependencies, reducing exposure to supply chain | ||
| attacks via freshly compromised packages. If you need to install a dependency | ||
| that was published less than 24 hours ago, you can override this by running | ||
| ``uv sync --exclude-newer="0 days"`` or | ||
| ``uv pip install <package> --exclude-newer="0 days"``. |
There was a problem hiding this comment.
I'm not sure that this is relevant for users. Or at least, only for those who install from main.
WDYT?
There was a problem hiding this comment.
I'd say that a user doing pip install haystack-ai would still install the latest version of dependencies. So I'd remove the release note.
Is my interpretation correct?
There was a problem hiding this comment.
pip install haystack-ai would still install the latest version of dependencies, correct. I am fine with removing the release note. 👍
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Code reviewIssue: Supply chain gap — Every job modified in this PR upgrades pip before the # .github/workflows/tests.yml (and 12 other workflow files)
python -m pip install --upgrade pip # ← unguarded
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1DIf an attacker publishes a malicious pip release within the last 24 hours, the compromised pip is installed by the first line — and then handles all subsequent See: haystack/.github/workflows/tests.yml Lines 79 to 82 in 15e7a99 Suggested fix: Add python -m pip install --upgrade pip --uploaded-prior-to=P1D
pip install hatch==${{ env.HATCH_VERSION }} --uploaded-prior-to=P1DThis pattern should be applied consistently across all 13 modified workflow files. Checked for bugs and CLAUDE.md compliance. No other issues found. |
I considered this even before this automated code review. However, most recent pip version is required BEFORE we use the |
anakin87
left a comment
anakin87
left a comment
There was a problem hiding this comment.
I'd remove the release note.
Then feel free to merge.
Thank you!
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
julian-risch
added
the
ignore-for-release-notes
3 participants
Related Issues
Supply chain attacks increasingly target the window between a package being compromised and defenders noticing. A 24-hour age requirement means that even if a dependency is compromised and a malicious version is published, it won't automatically land in a
uv lockrun or a Dependabot PR within that window.Changes
Hardens the
haystack-aipackage against supply chain attacks by introducing three complementary dependency age guardrails.pyproject.toml— uvexclude-newerguardrail:exclude-newer = "24 hours"under[tool.uv], which tells uv to ignore any package version published within the last 24 hours during resolution. This prevents a freshly-compromised or typosquatted package version from being picked up at install/lock time.exclude-newer-packageexemptions for first-party packages (haystack-experimental,haystack-pydoc-tools) so freshly-published releases of our own packages are always resolvable.uv lock/uv synctime — no manual date updates needed. See uv dependency cooldowns docs for details..github/dependabot.yml— Dependabot cooldown:pipecosystem entry so Dependabot tracks Python dependencies.cooldown.default-days: 1to bothpipandgithub-actionsentries, so Dependabot won't open bump PRs for versions published less than 1 day ago — matching the uv window.--uploaded-prior-to— pip guardrail:Add --uploaded-prior-to P1D to all pip install commands in CI workflows (pip 26.1+), so packages uploaded within the last 24 hours are skipped at install time. I had to upgrade pip in CI, otherwise the relative duration won't be picked up correctly because that was only introduced in pip 26.1
How did you test it?
Upgraded uv and hatch and pip locally. Confirmed that the added parameter has the effect that more recent releases are not installed.
No functional code changes. This only affects dependency resolution behavior.
Notes for the reviewer
I added a release note mentioning the changes to pyproject.toml only because that's the only change that directly affects users. Does that sound good to you?
Checklist
fix:,feat:,build:,chore:,ci:,docs:,style:,refactor:,perf:,test:and added!in case the PR includes breaking changes.🤖 Generated with Claude Code