Merge pull request #30 from PostHog/mk/update_deps

MichaelKutsch-ph · web-flow · commit 57a94496eee8 · 2026-02-18T11:24:20.000+01:00
update dependencies
diff --git a/layer/requirements.txt b/layer/requirements.txt
@@ -102,7 +102,7 @@ typing-inspection==0.4.2 \
     --hash=sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7 \
     --hash=sha256:ba561c48a67c5958007083d386c3295464928b01faa735ab8547c5692e87f464
     # via pydantic
-urllib3==2.6.2 \
-    --hash=sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797 \
-    --hash=sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd
+urllib3==2.6.3 \
+    --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \
+    --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4
     # via botocore
diff --git a/layer/uv.lock b/layer/uv.lock
diff --git a/src/docker/Dockerfile b/src/docker/Dockerfile
@@ -2,6 +2,9 @@ FROM ghcr.io/astral-sh/uv:0.9.5 AS uv
 
 FROM public.ecr.aws/lambda/python:3.13
 
+# Patch OpenSSL FIPS provider vulnerability
+RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
+
 # Copy uv from the official image
 COPY --from=uv /uv /bin/uv
 
diff --git a/src/docker/Dockerfile.attribute_syncer b/src/docker/Dockerfile.attribute_syncer
@@ -32,6 +32,9 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
+# Patch OpenSSL FIPS provider vulnerability
+RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
+
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 
diff --git a/src/docker/Dockerfile.requester b/src/docker/Dockerfile.requester
@@ -32,6 +32,9 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
+# Patch OpenSSL FIPS provider vulnerability
+RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
+
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 
diff --git a/src/docker/Dockerfile.revoker b/src/docker/Dockerfile.revoker
@@ -32,6 +32,9 @@ RUN --mount=from=uv,source=/uv,target=/bin/uv \
 
 FROM public.ecr.aws/lambda/python:3.13
 
+# Patch OpenSSL FIPS provider vulnerability
+RUN dnf upgrade -y openssl openssl-libs openssl-fips-provider && dnf clean all
+
 # Copy the runtime dependencies from the builder stage with proper ownership
 COPY --from=builder --chown=1000:1000 ${LAMBDA_TASK_ROOT} ${LAMBDA_TASK_ROOT}
 
diff --git a/src/requirements.txt b/src/requirements.txt
@@ -207,7 +207,7 @@ typing-inspection==0.4.2 \
     # via
     #   pydantic
     #   pydantic-settings
-urllib3==2.5.0 \
-    --hash=sha256:3fc47733c7e419d4bc3f6b3dc2b4f890bb743906a30d56ba4a5bfa4bbff92760 \
-    --hash=sha256:e6b01673c0fa6a13e374b50871808eb3bf7046c4b125b216f6bf1cc604cff0dc
+urllib3==2.6.3 \
+    --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \
+    --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4
     # via requests
diff --git a/src/uv.lock b/src/uv.lock
