build: harden frontend build and deps

Author: haasonsaas

Dockerfile

@@ -5,11 +5,15 @@ ENV NODE_ENV=production
 WORKDIR /app
 
 USER 0
+RUN useradd --no-log-init --create-home --home-dir /home/webbuild --uid 10001 --gid 0 webbuild
+RUN chown webbuild:0 /app
 
-COPY web/package.json web/package-lock.json ./
+USER webbuild
+
+COPY --chown=webbuild:0 web/package.json web/package-lock.json ./
 RUN npm ci
 
-COPY web ./
+COPY --chown=webbuild:0 web ./
 RUN npm run build
 
 FROM registry.access.redhat.com/ubi9/python-312:latest

pyproject.toml

@@ -11,7 +11,7 @@ authors = [
 ]
 requires-python = ">=3.12,<3.13"
 dependencies = [
-  "fastapi>=0.112,<0.115",
+  "fastapi>=0.115,<0.117",
   "uvicorn[standard]>=0.30,<0.32",
   "httpx>=0.27,<0.28",
   "pydantic>=2.7,<2.9",
@@ -28,7 +28,8 @@ dependencies = [
   "signxml>=3.2,<4",
   "defusedxml>=0.7,<0.8",
   "pyyaml>=6.0,<7",
-  "python-multipart>=0.0.9,<0.0.10",
+  "python-multipart>=0.0.19,<0.0.20",
+  "starlette>=0.40,<0.41",
   "sigstore>=2.1.5,<3",
   "spdx-tools>=0.7,<0.8",
   "boto3>=1.35,<1.36",