@@ -38,19 +38,14 @@ RUN apt-get update && \
3838WORKDIR /root
3939
4040# Install pyenv
41- RUN curl -L -o /tmp/pyenv.tar.gz https://github.com/pyenv/pyenv/archive/refs/tags/v2.6.3 .tar.gz && \
41+ RUN curl -L -o /tmp/pyenv.tar.gz https://github.com/pyenv/pyenv/archive/refs/tags/v2.6.22 .tar.gz && \
4242 mkdir -p /root/.pyenv && \
4343 tar -xzvf /tmp/pyenv.tar.gz -C /root/.pyenv --strip-components=1 && \
4444 echo 'eval "$(pyenv init -)"' >> /root/.profile && \
4545 echo 'eval "$(pyenv virtualenv-init -)"' >> /root/.profile
4646
4747ENV PATH="/root/.pyenv/bin:/root/.pyenv/shims:${PATH}"
4848
49- # Install python
50- RUN pyenv install 3.13.5 && \
51- pyenv global 3.13.5 && \
52- python3 -m pip install --upgrade pip setuptools
53-
5449# # Install Node.js from apt-get
5550
5651# Add NodeSource APT repository for Node.js v18
@@ -67,6 +62,14 @@ RUN npm --version
6762
6863# # Install Synthtool and Dependencies
6964
65+ # Install python
66+ RUN pyenv install 3.13.12 && \
67+ pyenv global 3.13.12
68+
69+ # This is needed to upgrade pip in the following path
70+ # /root/.pyenv/versions/3.13.12/lib/python3.13/site-packages/
71+ RUN pip install --upgrade pip
72+
7073# Create a Python virtual environment for synthtool dependencies.
7174# This isolates your Python packages from the system Python.
7275ENV VIRTUAL_ENV=/opt/venv/synthtool
@@ -75,17 +78,32 @@ RUN python3 -m venv $VIRTUAL_ENV
7578# the venv for all subsequent commands in this and future RUN layers.
7679ENV PATH="$VIRTUAL_ENV/bin:$PATH"
7780
81+ # This is needed to upgrade pip in the following path
82+ # /opt/venv/synthtool/lib/python3.13/site-packages/
83+ RUN pip install --upgrade pip
84+
85+ # TODO(https://github.com/python/cpython/issues/144538): This is
86+ # need to address CVE-2026-1703 which requires pip 26.0
87+ # as per https://github.com/advisories/GHSA-4xh5-x5gv-qwph.
88+ # Remove this code once Python 3.13.13 is released which includes a fix.
89+ RUN rm -rf /root/.pyenv/versions/3.13.12/lib/python3.13/ensurepip/_bundled/pip-25.3-py3-none-any.whl
90+
7891# Copy requirements.txt and install Python dependencies into the virtual environment.
7992COPY requirements.txt /synthtool/requirements.txt
8093RUN pip install --require-hashes -r /synthtool/requirements.txt
8194
8295# TODO: Remove this code once there is a newer version of virtualenv which does not include setuptools 75.3.2
83- # https://github.com/pypa/virtualenv/tree/main /src/virtualenv/seed/wheels/embed
96+ # https://github.com/pypa/virtualenv/tree/20.36.1 /src/virtualenv/seed/wheels/embed
8497# In the interim, remove the bundled setuptools 75.3.2 wheel
8598# since it does not include a fix for CVE-2025-47273/CVE-2025-47273.
86- RUN rm -rf /venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl
87- RUN rm -rf /venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-75.1.0-py3-none-any.whl
88- RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-68.0.0-py3-none-any.whl
99+ RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/setuptools-75.3.2-py3-none-any.whl
100+
101+ # TODO: Remove this code once there is a newer version of virtualenv which does not include pip 25.0.1 and 25.3
102+ # https://github.com/pypa/virtualenv/tree/20.36.1/src/virtualenv/seed/wheels/embed
103+ # In the interim, remove the bundled pip wheel
104+ # since it does not include a fix for CVE-2026-1703
105+ RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl
106+ RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
89107
90108# Set PYTHONPATH to ensure synthtool can be found by Python scripts.
91109# Include the virtual environment's site-packages for completeness, though
0 commit comments