diff --git a/CHANGELOG.md b/CHANGELOG.md index 9966128d..3b642783 100755 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Requirements +- Pinned dependencies to exact versions and updated vulnerable packages for secure, reproducible installations [BU-ISCIII/relecov-tools#892](https://github.com/BU-ISCIII/relecov-tools/pull/892) ## [1.8.0] - 2026-27-02 : diff --git a/requirements.txt b/requirements.txt index 0b7c9376..47a48167 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,19 +1,21 @@ -click -questionary -jsonschema -packaging -prompt_toolkit>=3.0.3 -rich>=10.0.0 -requests==2.27.1 -paramiko>=2.10.1 -pyyaml==6.0.1 -openpyxl>=3.1.2 -ena-upload-cli -bio==1.4.0 -xlsxwriter==3.2.0 -bs4==0.0.2 -tabulate -pandas -jinja2>=3.0.0 -semantic_version -geopy \ No newline at end of file +biopython==1.87 +click==8.4.1 +# Newer releases currently hard-pin vulnerable lxml/pytest versions. +ena-upload-cli==0.6.2 +geopy==2.4.1 +Jinja2==3.1.6 +jsonschema==4.26.0 +# Security override for ena-upload-cli's otherwise unbounded lxml dependency. +lxml==6.1.1 +mysql-connector-python==9.7.0 +numpy==2.2.6 +openpyxl==3.1.5 +pandas==2.3.3 +paramiko==5.0.0 +PyYAML==6.0.3 +questionary==2.1.1 +requests==2.34.2 +rich==15.0.0 +semantic-version==2.10.0 +tabulate==0.10.0 +XlsxWriter==3.2.9