Merge pull request #255 from asfadmin/snyk-fix-907a7f819c818c662fe642…

…400bef0806 [Snyk] Security upgrade pip from 9.0.3 to 19.2
asfadmin · Oct 7, 2020 · e1dd82e · e1dd82e
2 parents 8a16a85 + be67c6d
commit e1dd82e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/build/dependency_builder.sh b/build/dependency_builder.sh
@@ -24,7 +24,7 @@ pip3 install -r ${WORKSPACE}/lambda/requirements.txt --target .
 
 # get rid of unneeded things to make code zip smaller
 rm -rf ./*.dist-info
-rm -rf pip
+# rm -rf pip # commented out because https://snyk.io/vuln/SNYK-PYTHON-PIP-609855
 rm -rf docutils
 rm -rf chalice/cli # cli in lambda? No way!
 rm -rf botocore # included with lambda, just takes up space here

diff --git a/lambda/requirements.txt b/lambda/requirements.txt
@@ -10,3 +10,5 @@ pyjwt==1.7.1
 pyOpenSSL==19.1.0 # maybe not necessary
 python-jose==3.2.0
 PyYAML==5.3.1
+
+pip>=19.2 # not directly required, pinned by Snyk to avoid a vulnerability