Siddharth Balyan 04b1fdaecf security(deps): add upper bounds to 5 loose deps + document supply chain policy (#24226) ...

After the Mini Shai-Hulud supply chain campaign (May 2026) and the litellm
compromise (March 2026), codify the dependency pinning policy that was
established in PRs #2810 and #9801 but never written down for contributors.

Changes:
- pyproject.toml: Add tight upper bounds to the 5 deps that slipped
  through as review escapes from external contributor PRs:
  - hindsight-client>=0.4.22,<0.5 (was >=0.4.22)
  - aiosqlite>=0.20,<0.23 (was >=0.20)
  - asyncpg>=0.29,<0.32 (was >=0.29)
  - alibabacloud-dingtalk>=2.0.0,<3 (was >=2.0.0)
  - youtube-transcript-api>=1.2.0,<2 (was >=1.2.0)

  Pre-1.0 packages get <0.(current_minor+2) — tight enough to block
  hostile minor releases but loose enough to not require bumps every week.

- CONTRIBUTING.md: Add 'Dependency pinning policy' section under Security
  with the full rationale, table of source types + treatments, and examples.

- AGENTS.md: Add concise 'Dependency Pinning Policy' section for AI coding
  agents with the decision table and step-by-step checklist.

- supply-chain-audit.yml: Add dep-bounds job that fails PRs introducing
  PyPI deps without <ceiling upper bounds. Fires on pyproject.toml changes.
  Posts a PR comment with the specific unbounded specs found.

Refs: #2796 #2810 #9801 #24205

2026-05-15 01:33:08 -07:00

..

actions

ci: run docker build on PRs + smoke test arm64

2026-05-08 18:47:07 -04:00

ISSUE_TEMPLATE

feat: add openrouter/elephant-alpha to curated model lists (#9378)

2026-04-13 21:16:14 -07:00

workflows

security(deps): add upper bounds to 5 loose deps + document supply chain policy (#24226)

2026-05-15 01:33:08 -07:00

dependabot.yml

chore(security): add OSV-Scanner CI + Dependabot for github-actions only (#20037)

2026-05-04 20:58:21 -07:00

PULL_REQUEST_TEMPLATE.md

docs: add documentation & housekeeping checklist to PR template

2026-03-05 07:23:52 -08:00