From 6740288030a8f566a62bbdbc167040889b9e84dd Mon Sep 17 00:00:00 2001
From: xiaolai <lixiaolai@gmail.com>
Date: Sat, 25 Apr 2026 06:25:30 +0800
Subject: [PATCH] fix: pin requirements.txt to known-good versions (#90)

All 6 packages were fully unpinned, allowing a compromised upstream
release to silently introduce malicious code on `pip install`. Pin to
current stable versions to ensure reproducible, auditable builds.

Co-authored-by: Claude Code <noreply@anthropic.com>
---
 scripts/requirements.txt | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/scripts/requirements.txt b/scripts/requirements.txt
index e6f81f0..2fc7f46 100644
--- a/scripts/requirements.txt
+++ b/scripts/requirements.txt
@@ -1,7 +1,7 @@
 # Core dependencies for build_epub.py
-ebooklib
-markdown
-beautifulsoup4
-httpx
-pillow
-tenacity
+ebooklib==0.18
+markdown==3.7
+beautifulsoup4==4.12.3
+httpx==0.28.1
+pillow==11.1.0
+tenacity==9.0.0