Skip to content

Add pip dependency lock file for supply chain protection#30

Open
kaggle-agent wants to merge 2 commits intomainfrom
agent/erdalsivri-20260401152738-31259832
Open

Add pip dependency lock file for supply chain protection#30
kaggle-agent wants to merge 2 commits intomainfrom
agent/erdalsivri-20260401152738-31259832

Conversation

@kaggle-agent
Copy link
Copy Markdown
Collaborator

@kaggle-agent kaggle-agent commented Apr 1, 2026

Generate requirements.lock from pyproject.toml using pip-compile to pin
all direct and transitive dependencies to exact versions. This protects
against supply chain attacks by ensuring reproducible installs. Also
update .gitignore to exclude .claude/settings.local.json and
.kagent-context/.

Co-authored-by: kaggle-agent kaggle-agent@users.noreply.github.com

Task: erdalsivri-20260401152738-31259832
Context: https://chat.kaggle.net/kaggle/pl/o3rrqgcf5fy3jjsjkbuhdp7ifh

@erdalsivri @kaggle-agent
Add pip dependency lock file for supply chain protection
b11106d 
Generate requirements.lock from pyproject.toml using pip-compile to pin
all direct and transitive dependencies to exact versions. This protects
against supply chain attacks by ensuring reproducible installs. Also
update .gitignore to exclude .claude/settings.local.json and
.kagent-context/.

Co-authored-by: kaggle-agent <kaggle-agent@users.noreply.github.com>
erdalsivri
erdalsivri reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@erdalsivri erdalsivri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use exclude-newer in project.toml instead of adding versions here. Also add documentation to explain how package upgrades should be carried out with exclude-newer. Something like "first bump up this date to 2 days before today and then run pip install". Make sure to regenerate the lock file after exclude-newer change

@erdalsivri @kaggle-agent
Use uv exclude-newer for supply chain protection
d3aecfa 
Switch from pip-compile to uv with exclude-newer in pyproject.toml so
dependency versions are bounded by date rather than pinned in the lock
file. This prevents unexpected new releases from entering the build
while keeping upgrades simple: bump the date and re-run uv pip compile.

Co-authored-by: kaggle-agent <kaggle-agent@users.noreply.github.com>
@kaggle-agent
Copy link
Copy Markdown
Collaborator Author

kaggle-agent commented Apr 2, 2026

Re: @erdalsivri's review:

Switched from pip-compile to uv pip compile and added exclude-newer = "2026-03-31" to [tool.uv] in pyproject.toml. The lock file is now regenerated using uv, which respects the exclude-newer setting automatically.

Added upgrade documentation as comments at the top of requirements.lock:

  1. Update exclude-newer in pyproject.toml to 2 days before today
  2. Run: uv pip compile pyproject.toml -o requirements.lock

@erdalsivri erdalsivri requested a review from rosbo April 2, 2026 20:10
@erdalsivri
Copy link
Copy Markdown
Contributor

erdalsivri commented Apr 2, 2026

@rosbo I don't know how the build pipeline works for this project so I am not sure if the lock file is even used but exclude-newer should be effective. Please feel free to close if this doesn't makes sense

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erdalsivri erdalsivri erdalsivri left review comments

@rosbo rosbo Awaiting requested review from rosbo

Assignees

@erdalsivri erdalsivri

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kaggle-agent @erdalsivri