Summary
The lockfile requirements.hashes.source.txt was updated to pin pypdf==6.10.2 as part of a CVE fix (PR #1528), but the corresponding constraint in pyproject.toml (Line 163) still reads pypdf>=6.9.2.
Problem
If the lockfiles are regenerated (e.g., via make konflux-requirements), uv pip compile will re-read pyproject.toml and could resolve a vulnerable version of pypdf. This undermines defense-in-depth for the CVE fix.
Suggested Fix
Update the dependency entry in pyproject.toml from:
to:
This ensures all dependency resolution paths—including lock file regeneration and direct installs—enforce the safe floor version.
References
/cc @tisnik
Summary
The lockfile
requirements.hashes.source.txtwas updated to pinpypdf==6.10.2as part of a CVE fix (PR #1528), but the corresponding constraint inpyproject.toml(Line 163) still readspypdf>=6.9.2.Problem
If the lockfiles are regenerated (e.g., via
make konflux-requirements),uv pip compilewill re-readpyproject.tomland could resolve a vulnerable version of pypdf. This undermines defense-in-depth for the CVE fix.Suggested Fix
Update the dependency entry in
pyproject.tomlfrom:to:
This ensures all dependency resolution paths—including lock file regeneration and direct installs—enforce the safe floor version.
References
/cc @tisnik