From 7787ff78d3c20a0e9389520162335ee1078df401 Mon Sep 17 00:00:00 2001
From: Sudip Sinha <Sudip.Sinha@RedHat.com>
Date: Fri, 19 Jun 2026 13:46:38 +0100
Subject: [PATCH] fix(container): bump uv to 0.11.22 and remove uv/uvx from
 runtime

Resolves GHSA-4gg8-gxpx-9rph (arbitrary file write through entry point
names) by upgrading uv from 0.11.1 to 0.11.22 (fix version: 0.11.15).

Also explicitly removes uv/uvx binaries from the builder's bin directory
before copying to the runtime stage, since they are not needed at runtime
and their presence unnecessarily expands the attack surface.

Signed-off-by: Sudip Sinha <Sudip.Sinha@RedHat.com>
---
 Containerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index e6e336a..5916ffa 100644
--- a/Containerfile
+++ b/Containerfile
@@ -37,9 +37,10 @@ USER 1001
 
 COPY pyproject.toml README.md ./
 
-RUN pip install --no-cache-dir --upgrade pip==26.1.1 uv==0.11.1 && \
+RUN pip install --no-cache-dir --upgrade pip==26.1.1 uv==0.11.22 && \
     uv pip install --no-cache ".[$EXTRAS]" && \
     pip uninstall -y uv && \
+    rm -f /opt/app-root/bin/uv /opt/app-root/bin/uvx && \
     rm -rf /root/.cache /tmp/*
 
 # =============================================================================