fix: hack/api-docs/requirements.txt to reduce vulnerabilities (#3036)

The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-JINJA2-6150717 - https://snyk.io/vuln/SNYK-PYTHON-PYYAML-590151 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5537286 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-5840803 - https://snyk.io/vuln/SNYK-PYTHON-TORNADO-6041512 Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> Co-authored-by: snyk-bot <snyk-bot@snyk.io>
2024-12-14 11:57:59 +00:00 · 2024-01-19 08:04:25 +01:00 · 2024-01-19 08:04:25 +01:00 · 43b6c5eaad
commit 43b6c5eaad
parent 31cecaa62b
5 changed files with 22 additions and 8 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -10,3 +10,18 @@ updates:
    directory: "/"
    schedule:
      interval: "weekly"
+
+  - package-ecosystem: docker
+    directory: /e2e
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: docker
+    directory: /hack/api-docs
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: pip
+    directory: /hack/api-docs
+    schedule:
+      interval: weekly
--- a/Dockerfile.standalone
+++ b/Dockerfile.standalone
@ -1,6 +1,6 @@
 # This version of Dockerfile is for building without external dependencies.
 # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .`
-FROM golang:1.21.6-alpine AS builder
+FROM golang:1.21.6-alpine@sha256:fd78f2fb1e49bcf343079bbbb851c936a18fc694df993cbddaa24ace0cc724c5 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH}
@ -12,7 +12,7 @@ COPY . /app/
 RUN go build -o external-secrets main.go


-FROM gcr.io/distroless/static AS app
+FROM gcr.io/distroless/static@sha256:9be3fcc6abeaf985b5ecce59451acbcbb15e7be39472320c538d0d55a0834edc AS app
 COPY --from=builder /app/external-secrets /bin/external-secrets

 # Run as UID for nobody
--- a/e2e/Dockerfile
+++ b/e2e/Dockerfile
@ -1,5 +1,4 @@
-ARG GO_VERSION=1.21
-FROM golang:$GO_VERSION-bookworm as builder
+FROM golang:1.21.6-bookworm@sha256:04cf306d01a03309934b49ac4b9f487abb8a054b71141fa53df6df482ab7d7eb as builder

 ENV KUBECTL_VERSION="v1.28.3"
 ENV HELM_VERSION="v3.13.1"
--- a/hack/api-docs/requirements.txt
+++ b/hack/api-docs/requirements.txt
@ -9,7 +9,7 @@ htmlmin==0.1.12
 idna==3.6
 importlib-metadata==7.0.1
 importlib-resources==6.1.1
-Jinja2==3.1.2
+Jinja2==3.1.3
 jsmin==3.0.1
 livereload==2.6.3
 Markdown==3.5.2
@ -29,13 +29,13 @@ platformdirs==4.1.0
 Pygments==2.17.2
 pymdown-extensions==10.7
 python-dateutil==2.8.2
-PyYAML==5.3.1
+PyYAML==6.0.1
 pyyaml_env_tag==0.1
 regex==2023.12.25
 requests==2.31.0
 six==1.16.0
 termcolor==2.4.0
-tornado==6.1
+tornado==6.3.3
 urllib3==2.1.0
 verspec==0.1.0
 watchdog==3.0.0
--- a/tilt.debug.dockerfile
+++ b/tilt.debug.dockerfile
@ -2,7 +2,7 @@ FROM golang:1.21.6@sha256:6fbd2d3398db924f8d708cf6e94bd3a436bb468195daa6a96e8050
 WORKDIR /
 COPY ./bin/external-secrets /external-secrets

-RUN go install github.com/go-delve/delve/cmd/dlv@latest
+RUN go install github.com/go-delve/delve/cmd/dlv@v1.22.0
 RUN chmod +x /go/bin/dlv
 RUN mv /go/bin/dlv /