From b11106d5677aa0b0941893e7cfb2b389cc148938 Mon Sep 17 00:00:00 2001
From: erdalsivri <erdalsivri@google.com>
Date: Wed, 1 Apr 2026 15:32:55 +0000
Subject: [PATCH 1/2] Add pip dependency lock file for supply chain protection

Generate requirements.lock from pyproject.toml using pip-compile to pin
all direct and transitive dependencies to exact versions. This protects
against supply chain attacks by ensuring reproducible installs. Also
update .gitignore to exclude .claude/settings.local.json and
.kagent-context/.

Co-authored-by: kaggle-agent <kaggle-agent@users.noreply.github.com>
---
 .gitignore        |  2 ++
 requirements.lock | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 requirements.lock

diff --git a/.gitignore b/.gitignore
index 4fc275f..aa7df9b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 dist/
 .idea
+.claude/settings.local.json
+.kagent-context/**
diff --git a/requirements.lock b/requirements.lock
new file mode 100644
index 0000000..730857c
--- /dev/null
+++ b/requirements.lock
@@ -0,0 +1,19 @@
+# Regenerate with: pip-compile pyproject.toml -o requirements.lock
+#
+# This file is autogenerated by pip-compile with Python 3.13
+# by the following command:
+#
+#    pip-compile --output-file=requirements.lock pyproject.toml
+#
+certifi==2026.2.25
+    # via requests
+charset-normalizer==3.4.6
+    # via requests
+idna==3.11
+    # via requests
+protobuf==7.34.1
+    # via kagglesdk (pyproject.toml)
+requests==2.33.1
+    # via kagglesdk (pyproject.toml)
+urllib3==2.6.3
+    # via requests

From d3aecfaccb1806080d83977b53d0b13de63c9a3d Mon Sep 17 00:00:00 2001
From: erdalsivri <erdalsivri@google.com>
Date: Thu, 2 Apr 2026 20:04:39 +0000
Subject: [PATCH 2/2] Use uv exclude-newer for supply chain protection

Switch from pip-compile to uv with exclude-newer in pyproject.toml so
dependency versions are bounded by date rather than pinned in the lock
file. This prevents unexpected new releases from entering the build
while keeping upgrades simple: bump the date and re-run uv pip compile.

Co-authored-by: kaggle-agent <kaggle-agent@users.noreply.github.com>
---
 pyproject.toml    |  3 +++
 requirements.lock | 11 ++++++-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index b70ea6f..11531e1 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -29,5 +29,8 @@ dependencies = [
 "Homepage" = "https://github.com/Kaggle/kagglesdk"
 "Bug Tracker" = "https://github.com/Kaggle/kagglesdk/issues"
 
+[tool.uv]
+exclude-newer = "2026-03-31"
+
 [tool.hatch.version]
 path = "kagglesdk/__init__.py"
\ No newline at end of file
diff --git a/requirements.lock b/requirements.lock
index 730857c..f9f14c2 100644
--- a/requirements.lock
+++ b/requirements.lock
@@ -1,10 +1,11 @@
-# Regenerate with: pip-compile pyproject.toml -o requirements.lock
+# Regenerate with: uv pip compile pyproject.toml -o requirements.lock
 #
-# This file is autogenerated by pip-compile with Python 3.13
-# by the following command:
-#
-#    pip-compile --output-file=requirements.lock pyproject.toml
+# To upgrade packages:
+#   1. Update exclude-newer in pyproject.toml to 2 days before today
+#   2. Run: uv pip compile pyproject.toml -o requirements.lock
 #
+# This file was autogenerated by uv via the following command:
+#    uv pip compile pyproject.toml -o requirements.lock
 certifi==2026.2.25
     # via requests
 charset-normalizer==3.4.6