Commit 0716f10

and

authored

fix(security): supply chain hardening — dep confusion, lockfiles, Dockerfile digest (#2)

- Fix dependency confusion: replace agent-primitives==0.1.0 with local file references in scak and iatp requirements.txt (CWE-427) - Pin root Dockerfile base image to SHA digest (CWE-829) - Generate missing package-lock.json for 4 npm packages (CWE-829): mcp-proxy, api, chrome extension, mastra-agentmesh - Remove unsafe npm ci || npm install fallback in ESRP pipeline (CWE-829) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

1 parent 7a916f6 commit 0716f10Copy full SHA for 0716f10

8 files changed

+20745

-4

lines changed

Dockerfile
packages
- agent-mesh
  - packages/mcp-proxy
    - package-lock.json
  - services/api
    - package-lock.json
- agent-os
  - extensions/chrome
    - package-lock.json
  - modules
    - iatp
      - requirements.txt
    - scak
      - requirements.txt
- agentmesh-integrations/mastra-agentmesh
  - package-lock.json
pipelines
- esrp-publish.yml

8 files changed

+20745

-4

lines changed

`‎Dockerfile‎`

-Original file line number
+Diff line change
 ARG PYTHON_VERSION=3.11
 -FROM python:${PYTHON_VERSION}-slim AS base
 +FROM python:3.11-slim@sha256:9358444059ed78e2975ada2c189f1c1a3144a5dab6f35bff8c981afb38946634 AS base
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

Comments

(0)