From fbdb66b77f7d1e6b58c7253d48861e76c2600a42 Mon Sep 17 00:00:00 2001
From: Spherrrical <malikmusa1323@gmail.com>
Date: Thu, 7 May 2026 11:27:23 -0700
Subject: [PATCH] ci: pin uv >=0.11.11 to clear GHSA-82j2-j2ch-gfr8
 (rustls-webpki)

Trivy security-scan flagged uv 0.11.7 (currently fetched by an unpinned
`pip install uv`) because it bundles rustls-webpki 0.103.10. The advisory
(DoS via panic on malformed CRL BIT STRING) is fixed in 0.103.13.
uv 0.11.11 picks up the fixed rustls-webpki, so we pin to that floor.
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ad0ca707..b9c41064 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -65,7 +65,10 @@ COPY --from=envoy /usr/local/bin/envoy /usr/local/bin/envoy
 
 WORKDIR /app
 
-RUN pip install --no-cache-dir uv
+# Pin uv to >=0.11.11; older versions bundle rustls-webpki 0.103.10 which is
+# flagged by GHSA-82j2-j2ch-gfr8 (DoS via panic on malformed CRL BIT STRING).
+# uv 0.11.11+ ships rustls-webpki 0.103.13.
+RUN pip install --no-cache-dir 'uv>=0.11.11'
 
 COPY cli/pyproject.toml ./
 COPY cli/uv.lock ./