Pin dependencies

Author: renovate[bot]

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ jobs:
       # Label used to access the service container
       db:
         # Docker Hub image
-        image: postgres:12.22
+        image: postgres:12.22@sha256:2f2a8c2a7d10862e7fba2602e304523554f9df8244c632dafe2628ccb398fb5c
         # Set health checks to wait until postgres has started
         options: >-
           --health-cmd pg_isready
@@ -23,7 +23,7 @@ jobs:
           - 5432:5432
 
       redis:
-        image: redis:8.2.2
+        image: redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd
         ports:
           - 6379:6379
 
@@ -37,7 +37,7 @@ jobs:
         run: cat Aptfile | sudo xargs apt-get install
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           enable-cache: true
 

Dockerfile

@@ -1,6 +1,6 @@
 # hadolint global ignore=SC2046,DL3002,DL3008,DL3025,DL3042,DL4006
 
-FROM python:3.12-slim AS base
+FROM python:3.12-slim@sha256:520153e2deb359602c9cffd84e491e3431d76e7bf95a3255c9ce9433b76ab99a AS base
 LABEL maintainer "ODL DevOps <mitx-devops@mit.edu>"
 
 # Add package files, install updated node and pip
@@ -35,7 +35,7 @@ ENV  \
 ENV PATH="/opt/venv/bin:$PATH"
 
 # Install uv
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:240fb85ab0f263ef12f492d8476aa3a2e4e1e333f7d67fbdd923d00a506a516a /uv /uvx /usr/local/bin/
 
 # Install Chromium (commented out lines illustrate the syntax for getting specific chromium versions)
 RUN echo "deb http://deb.debian.org/debian/ sid main" >> /etc/apt/sources.list \

Dockerfile.watch

@@ -1,4 +1,4 @@
-FROM node:24.13
+FROM node:24.13@sha256:00e9195ebd49985a6da8921f419978d85dfe354589755192dc090425ce4da2f7
 
 # Install Playwright system dependencies
 RUN apt-get update && apt-get install -y \

docker-compose.opensearch.base.yml

@@ -1,6 +1,6 @@
 services:
   opensearch:
-    image: opensearchproject/opensearch:3.3.0
+    image: opensearchproject/opensearch:3.3.0@sha256:d96afaf6cbd2a6a3695aeb2f1d48c9a16ad5c8918eb849e5cbf43475f0f8e146
     environment:
       - "cluster.name=opensearch-cluster"
       - "bootstrap.memory_lock=true" # along with the memlock settings below, disables swapping

docker-compose.services.yml

@@ -10,7 +10,7 @@ services:
   db:
     profiles:
       - backend
-    image: postgres:16
+    image: postgres:16@sha256:760ea41aae126965bedd587d35a23de37447bb13a6ac4444bef6ff73b8b72234
     healthcheck:
       test: ["CMD", "pg_isready"]
       interval: 3s
@@ -30,7 +30,7 @@ services:
   redis:
     profiles:
       - backend
-    image: redis:8.2.2
+    image: redis:8.2.2@sha256:4521b581dbddea6e7d81f8fe95ede93f5648aaa66a9dacd581611bf6fe7527bd
     healthcheck:
       test: ["CMD", "redis-cli", "ping", "|", "grep", "PONG"]
       interval: 3s
@@ -39,7 +39,7 @@ services:
     ports:
       - "6379"
   qdrant:
-    image: qdrant/qdrant:latest
+    image: qdrant/qdrant:latest@sha256:94728574965d17c6485dd361aa3c0818b325b9016dac5ea6afec7b4b2700865f
     ports:
       - "6333:6333"
     volumes:
@@ -67,12 +67,12 @@ services:
   tika:
     profiles:
       - backend
-    image: apache/tika:2.5.0
+    image: apache/tika:2.5.0@sha256:d680d1d7136f35de43294e7b80ac495da463f069b0f1d59be1ebac5f0543f075
     ports:
       - "9998:9998"
 
   locust:
-    image: locustio/locust
+    image: locustio/locust@sha256:ea785ebc49c887007e0e6809cc9a839edc0d2199a4ddf1d249f23f11fda52787
     ports:
       - "8089:8089"
     volumes:
@@ -84,7 +84,7 @@ services:
       - load-testing
 
   locust-worker:
-    image: locustio/locust
+    image: locustio/locust@sha256:ea785ebc49c887007e0e6809cc9a839edc0d2199a4ddf1d249f23f11fda52787
     volumes:
       - ./load_testing_locust:/mnt/locust
     command: -f /mnt/locust/locustfile.py --worker --master-host locust
@@ -96,7 +96,7 @@ services:
   keycloak:
     profiles:
       - keycloak
-    image: quay.io/keycloak/keycloak:26.4
+    image: quay.io/keycloak/keycloak:26.4@sha256:9409c59bdfb65dbffa20b11e6f18b8abb9281d480c7ca402f51ed3d5977e6007
     depends_on:
       db:
         condition: service_healthy
@@ -122,7 +122,7 @@ services:
   apigateway:
     profiles:
       - apisix
-    image: apache/apisix:3.13.0-debian # versions above this drop the local port on redirects
+    image: apache/apisix:3.13.0-debian@sha256:c5c7a55ebb5c07abc210dbb963a37f41030e12c91d23bacedbaa168fec633bd7 # versions above this drop the local port on redirects
     <<: *default-extra-hosts
     environment:
       - CSRF_COOKIE_DOMAIN=${CSRF_COOKIE_DOMAIN:-.odl.local}

frontends/api/package.json

@@ -20,12 +20,12 @@
     "react": "^19.2.1"
   },
   "devDependencies": {
-    "@faker-js/faker": "^10.0.0",
-    "@testing-library/react": "^16.3.0",
-    "enforce-unique": "^1.3.0",
-    "jest": "^29.7.0",
-    "jest-when": "^3.7.0",
-    "lodash": "^4.17.21",
+    "@faker-js/faker": "10.4.0",
+    "@testing-library/react": "16.3.2",
+    "enforce-unique": "1.3.0",
+    "jest": "29.7.0",
+    "jest-when": "3.7.0",
+    "lodash": "4.18.1",
     "ol-test-utilities": "0.0.0"
   },
   "dependencies": {

frontends/main/Dockerfile.web

@@ -57,7 +57,7 @@
 # heroku container:release --app mitopen-rc-nextjs frontend
 
 
-FROM node:24-alpine AS base
+FROM node:24-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f AS base
 
 RUN apk update
 RUN apk add --no-cache libc6-compat && \

frontends/main/package.json

@@ -70,27 +70,27 @@
     "yup": "^1.4.0"
   },
   "devDependencies": {
-    "@faker-js/faker": "^10.0.0",
-    "@happy-dom/jest-environment": "^20.1.0",
-    "@testing-library/jest-dom": "^6.4.8",
-    "@testing-library/react": "^16.3.0",
-    "@testing-library/user-event": "^14.5.2",
-    "@types/jest": "^29.5.12",
-    "@types/lodash": "^4.17.7",
-    "@types/node": "^24.0.0",
+    "@faker-js/faker": "10.4.0",
+    "@happy-dom/jest-environment": "20.9.0",
+    "@testing-library/jest-dom": "6.9.1",
+    "@testing-library/react": "16.3.2",
+    "@testing-library/user-event": "14.6.1",
+    "@types/jest": "29.5.14",
+    "@types/lodash": "4.17.24",
+    "@types/node": "24.12.2",
     "@types/react": "^19.2.7",
     "@types/react-dom": "^19.2.3",
-    "@types/react-slick": "^0.23.13",
-    "@types/slick-carousel": "^1",
+    "@types/react-slick": "0.23.13",
+    "@types/slick-carousel": "1.6.40",
     "eslint": "8.57.1",
-    "eslint-config-next": "^16.1.6",
-    "http-proxy-middleware": "^3.0.0",
-    "jest": "^29.7.0",
-    "jest-extended": "^7.0.0",
-    "jest-next-dynamic-ts": "^0.1.1",
-    "next-router-mock": "^1.0.2",
+    "eslint-config-next": "16.2.4",
+    "http-proxy-middleware": "3.0.5",
+    "jest": "29.7.0",
+    "jest-extended": "7.0.0",
+    "jest-next-dynamic-ts": "0.1.1",
+    "next-router-mock": "1.0.5",
     "ol-test-utilities": "0.0.0",
-    "ts-jest": "^29.2.4",
-    "typescript": "^5.5.4"
+    "ts-jest": "29.4.9",
+    "typescript": "5.9.3"
   }
 }

frontends/ol-components/package.json

@@ -46,27 +46,27 @@
     "wheel-indicator": "^1.3.0"
   },
   "devDependencies": {
-    "@chromatic-com/storybook": "^5.0.0",
-    "@faker-js/faker": "^10.0.0",
-    "@storybook/addon-docs": "^10.0.0",
-    "@storybook/addon-links": "^10.0.0",
-    "@storybook/addon-onboarding": "^10.0.0",
-    "@storybook/addon-webpack5-compiler-swc": "^4.0.0",
-    "@storybook/nextjs": "^10.2.4",
+    "@chromatic-com/storybook": "5.1.2",
+    "@faker-js/faker": "10.4.0",
+    "@storybook/addon-docs": "10.3.5",
+    "@storybook/addon-links": "10.3.5",
+    "@storybook/addon-onboarding": "10.3.5",
+    "@storybook/addon-webpack5-compiler-swc": "4.0.3",
+    "@storybook/nextjs": "10.3.5",
     "@storybook/test": "8.6.15",
-    "@testing-library/react": "^16.3.0",
-    "@testing-library/user-event": "^14.5.2",
-    "@types/lodash.throttle": "^4.1.9",
-    "@types/react-google-recaptcha": "^2.1.9",
-    "@types/react-slick": "^0.23.13",
-    "@types/validator": "^13.7.6",
-    "dotenv": "^17.0.0",
-    "lodash": "^4.17.21",
-    "prop-types": "^15.8.1",
-    "sass": "^1.93.3",
-    "sass-embedded": "^1.93.3",
-    "storybook": "^10.2.4",
-    "typescript": "^5.5.4"
+    "@testing-library/react": "16.3.2",
+    "@testing-library/user-event": "14.6.1",
+    "@types/lodash.throttle": "4.1.9",
+    "@types/react-google-recaptcha": "2.1.9",
+    "@types/react-slick": "0.23.13",
+    "@types/validator": "13.15.10",
+    "dotenv": "17.4.2",
+    "lodash": "4.18.1",
+    "prop-types": "15.8.1",
+    "sass": "1.99.0",
+    "sass-embedded": "1.99.0",
+    "storybook": "10.3.5",
+    "typescript": "5.9.3"
   },
   "peerDependencies": {
     "@mitodl/smoot-design": "^6.24.0",

frontends/ol-test-utilities/package.json

@@ -20,7 +20,7 @@
     "react": "^19.2.1"
   },
   "devDependencies": {
-    "@types/lodash": "^4.17.7",
+    "@types/lodash": "4.17.24",
     "@types/react": "^19.2.7"
   }
 }