Siddharth Balyan 04b1fdaecf security(deps): add upper bounds to 5 loose deps + document supply chain policy (#24226) ... After the Mini Shai-Hulud supply chain campaign (May 2026) and the litellm compromise (March 2026), codify the dependency pinning policy that was established in PRs #2810 and #9801 but never written down for contributors. Changes: - pyproject.toml: Add tight upper bounds to the 5 deps that slipped through as review escapes from external contributor PRs: - hindsight-client>=0.4.22,<0.5 (was >=0.4.22) - aiosqlite>=0.20,<0.23 (was >=0.20) - asyncpg>=0.29,<0.32 (was >=0.29) - alibabacloud-dingtalk>=2.0.0,<3 (was >=2.0.0) - youtube-transcript-api>=1.2.0,<2 (was >=1.2.0) Pre-1.0 packages get <0.(current_minor+2) — tight enough to block hostile minor releases but loose enough to not require bumps every week. - CONTRIBUTING.md: Add 'Dependency pinning policy' section under Security with the full rationale, table of source types + treatments, and examples. - AGENTS.md: Add concise 'Dependency Pinning Policy' section for AI coding agents with the decision table and step-by-step checklist. - supply-chain-audit.yml: Add dep-bounds job that fails PRs introducing PyPI deps without <ceiling upper bounds. Fires on pyproject.toml changes. Posts a PR comment with the specific unbounded specs found. Refs: #2796 #2810 #9801 #24205		2026-05-15 01:33:08 -07:00
..
actions	ci: run docker build on PRs + smoke test arm64	2026-05-08 18:47:07 -04:00
ISSUE_TEMPLATE	feat: add openrouter/elephant-alpha to curated model lists (#9378)	2026-04-13 21:16:14 -07:00
workflows	security(deps): add upper bounds to 5 loose deps + document supply chain policy (#24226)	2026-05-15 01:33:08 -07:00
dependabot.yml	chore(security): add OSV-Scanner CI + Dependabot for github-actions only (#20037)	2026-05-04 20:58:21 -07:00
PULL_REQUEST_TEMPLATE.md	docs: add documentation & housekeeping checklist to PR template	2026-03-05 07:23:52 -08:00