ci: pin uv >=0.11.11 to clear GHSA-82j2-j2ch-gfr8 (rustls-webpki)

Trivy security-scan flagged uv 0.11.7 (currently fetched by an unpinned `pip install uv`) because it bundles rustls-webpki 0.103.10. The advisory (DoS via panic on malformed CRL BIT STRING) is fixed in 0.103.13. uv 0.11.11 picks up the fixed rustls-webpki, so we pin to that floor.
2026-06-08 14:55:14 +02:00 · 2026-05-07 11:27:23 -07:00 · 2026-05-07 11:27:23 -07:00 · fbdb66b77f
commit fbdb66b77f
parent 294af49d8a
1 changed files with 4 additions and 1 deletions
--- a/5
+++ b/5
@ -65,7 +65,10 @@ COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy

 WORKDIR /app

-RUN pip install --no-cache-dir uv
+# Pin uv to >=0.11.11; older versions bundle rustls-webpki 0.103.10 which is
+# flagged by GHSA-82j2-j2ch-gfr8 (DoS via panic on malformed CRL BIT STRING).
+# uv 0.11.11+ ships rustls-webpki 0.103.13.
+RUN pip install --no-cache-dir 'uv>=0.11.11'

 COPY cli/pyproject.toml ./
 COPY cli/uv.lock ./