Chainguard Libraries for Python
Learning Lab for June 2025 on Chainguard Libraries for Python and Supply Chain Security
3 min read
Chainguard Libraries for JavaScript and CVE remediation for Python libraries
Learning Lab for October 2025 about Chainguard Libraries for JavaScript and CVE remediation for Python libraries
2 min read
The October 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for JavaScript and CVE remdiation with Chainguard Libraries for Python. It starts with an overview about libraries and the JavaScript ecosystem and moves on to a demo with npm and pnpm. In the second section Manfred explains the approach for CVE remediation and shows an example project with remediation and scanning with grype.
Sections
- 0:00 Introduction
- 1:55 Agenda
- 2:54 Secure container and the role of libraries
- 5:20 Software supply chain for libraries and security
- 6:51 Chainguard Libraries and the JavaScript ecosystem
- 14:33 Malware in the npm ecosystem
- 18:39 Chainguard Libraries for JavaScript
- 25:57 Demoes with npm and pnpm
- 33:50 Troubleshooting results and additional demos
- 41:34 Chainguard Libraries for Python
- 43:39 CVE remediation process and examples
- 52:03 Demoes with uv and grype
- 56:25 Further resources
- 57:35 Next up
- 58:18 Questions
- 1:06:00 Wrapping up
JavaScript demo
The demonstration of Chainguard Libraries for JavaScript walks through the minimal example for pnpm with direct access to the registry and with access to a local repository manager, and shows an equivalent project with npm as well.
CVE remediation demo
The example project to showcase the CVE remediation for Python packages uses a
simple project setup for use with uv.
The pyproject.toml file contains all relevant configuration:
[project]
name = "uv-example"
version = "0.1.0"
description = "An example project with uv for Chainguard Libraries"
readme = "README.md"
requires-python = ">=3.13"
dependencies = [
"flask==2.0.0", # fix with 2.0.0+cgr.1
"werkzeug==3.0.2", # fix in 3.0.2+cgr.1
"urllib3==1.26.7", # fix in 1.26.7+cgr.1
"setuptools==77.0.3" # fix in 77.0.3+cgr.1
]
[[tool.uv.index]]
name = "nexus"
#url = "http://localhost:8081/repository/python-all/simple/"
url = "http://localhost:8081/repository/python-all-remediated/simple/"Note the declared dependencies just using the plain semantic version. These versions are resolved to the specific versions with the CVE fixes in place if the remediated packages are available.
The script sets up a new virtual environment, builds the project with uv, and then scans for vulnerabilities with grype:
rm -rf bin dist uv.lock
python3 -m venv .
source ./bin/activate
uv cache clean
rm -rf lib include
uv build
uv lock
grype .Resources
- Slide deck
- Chainguard Libraries product site
- Chainguard Libraries documentation
- Chainguard Libraries for JavaScript documentation
- Chainguard Libraries for Python documentation
- CVE Remediation for Chainguard Libraries
- Vulnerability Scanners and Chainguard Libraries
Last updated: 2025-10-30 12:00