Skip to content

chore: use --uploaded-prior-to guard for pip installs in docs script and fuzzing script#11891

Open
julian-risch wants to merge 4 commits into
mainfrom
security/pin-pip-installs-setup-dev
Open

chore: use --uploaded-prior-to guard for pip installs in docs script and fuzzing script#11891
julian-risch wants to merge 4 commits into
mainfrom
security/pin-pip-installs-setup-dev

Conversation

@julian-risch

@julian-risch julian-risch commented Jul 6, 2026

Copy link
Copy Markdown
Member

Related Issues

  • None. Flagged during automated code quality checks.

Proposed Changes:

Add --uploaded-prior-to=P1D to the pip install commands that were still unpinned, and upgrade pip first so the flag is available on older pip versions:

  • docs-website/scripts/setup-dev.sh — both pip install commands.
  • .clusterfuzzlite/build.shpip3 install ..

How did you test it?

Notes for the reviewer

In build.sh, pip3 install . builds Haystack from the local checkout, so the flag intentionally doesn't affect the package itself but it guards the transitive dependencies resolved from PyPI

Checklist

  • I have read the contributors guidelines and the code of conduct.
  • [n/a] I have updated the related issue with new insights and changes.
  • [n/a] I have added unit tests and updated the docstrings. (Shell-only change, no unit-testable surface.)
  • I've used one of the conventional commit types for my PR title: security: maps to chore:/ci: hardening.
  • I have documented my code (inline comments explaining the flag).
  • [n/a] I have added a release note file. (No user-facing runtime change.)
  • I have run pre-commit hooks and fixed any issue.

Add --uploaded-prior-to=P1D to the pip installs in the docs-website
dev setup script to guard against freshly-uploaded (potentially
malicious) package versions, matching the pattern already used across
CI workflows. Upgrade pip first so the flag is available on older
local pip versions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
haystack-docs Ready Ready Preview, Comment Jul 6, 2026 6:40pm

Request Review

Add --uploaded-prior-to=P1D to the pip install in the ClusterFuzzLite
build script so transitive dependencies resolved during the fuzz build
skip freshly-uploaded (potentially malicious) versions. Upgrade pip
first since the OSS-Fuzz base-builder image may ship an older pip.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@julian-risch julian-risch changed the title security: pin pip installs in docs setup-dev.sh security: pin pip installs in docs setup-dev.sh and clusterfuzzlite build Jul 6, 2026
Removed comments about pip upgrade and supply-chain flag.
Removed comment about upgrading pip for supply-chain flag.
@julian-risch julian-risch changed the title security: pin pip installs in docs setup-dev.sh and clusterfuzzlite build chore: use --uploaded-prior-to guard for pip installs in docs script and fuzzing script Jul 6, 2026
@julian-risch julian-risch marked this pull request as ready for review July 6, 2026 18:43
@julian-risch julian-risch requested a review from a team as a code owner July 6, 2026 18:43
@julian-risch julian-risch requested review from bogdankostic and removed request for a team July 6, 2026 18:43
@claude

claude Bot commented Jul 6, 2026

Copy link
Copy Markdown

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants