[Security] Pin Python dependencies for supply chain protection

[SeanMeyer]

Summary

• Pin 36 previously-unpinned Python dependencies across 23 files to exact versions for supply chain protection
• Covers 3 requirements.txt files and 17 Dockerfiles with pip install commands
• Django versions chosen per Python runtime compatibility:
  • Python 2.7: django==1.11.29
  • Python 3.7: django==3.2.25
  • Python 3.8-3.9: django==4.2.29
  • Python 3.10+: django==5.2.12

Part of incident #51987 supply chain protection campaign.

Files changed

Requirements files (16 deps pinned):

• requirements.txt — matplotlib
• utils/build/docker/python/tornado/requirements-tornado.txt — PyYAML, tornado, pycryptodome, jinja2, psycopg2-binary, httpx
• utils/build/docker/python/fastapi/requirements-fastapi.txt — PyYAML, fastapi, uvicorn, requests, pycryptodome, python-multipart, jinja2, psycopg2-binary, itsdangerous

Dockerfiles (20 deps pinned across 17 files):

• lib-injection/build/docker/python/ — 8 Dockerfiles (django, uvicorn, gunicorn)
• utils/build/virtual_machine/weblogs/python/ — 12 Dockerfiles (django)

Test plan

• Verify CI passes — these are version pins of currently-latest packages, so no behavioral change expected
• Spot-check a few Docker builds to confirm the pinned versions install correctly
• Verify Python 3.7/3.8/3.9 Dockerfiles work with their respective Django LTS versions

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

[github-actions]

CODEOWNERS have been resolved as:

lib-injection/build/docker/python/dd-lib-python-init-test-django-27/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django-gunicorn-alpine/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django-gunicorn/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django-preinstalled/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django-unsupported-package-force/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django-uvicorn/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-django/Dockerfile  @DataDog/system-tests-core
lib-injection/build/docker/python/dd-lib-python-init-test-protobuf-old/Dockerfile  @DataDog/system-tests-core
requirements.txt                                                        @DataDog/system-tests-core
utils/build/docker/python/fastapi/requirements-fastapi.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/docker/python/tornado/requirements-tornado.txt              @DataDog/apm-python @DataDog/asm-python @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-container/Dockerfile.template  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multialpine/Dockerfile.python_3_10-alpine  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multialpine/Dockerfile.python_3_11-alpine  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multialpine/Dockerfile.python_3_12-alpine  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multialpine/Dockerfile.python_3_8-alpine  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multialpine/Dockerfile.python_3_9-alpine  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multicontainer/Dockerfile.python_3_10  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multicontainer/Dockerfile.python_3_11  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multicontainer/Dockerfile.python_3_12  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multicontainer/Dockerfile.python_3_8  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python-multicontainer/Dockerfile.python_3_9  @DataDog/system-tests-core
utils/build/virtual_machine/weblogs/python/test-app-python37-container/Dockerfile.template  @DataDog/system-tests-core

[datadog-prod-us1-5]

⚠️ Tests

✨ Fix all issues with BitsAI or with Cursor

⚠️ Warnings

🧪 1 Test failed

tests.parametric.test_tracer.Test_ProcessTags_ServiceName.test_process_tag_svc_auto[library_env0, parametric-python] from system_tests_suite     (Fix with Cursor)

AssertionError: DD_SERVICE is set - Expecting svc.auto: in entrypoint.basedir:app,entrypoint.name:-m,entrypoint.type:script,entrypoint.workdir:app
assert 'svc.auto:' in 'entrypoint.basedir:app,entrypoint.name:-m,entrypoint.type:script,entrypoint.workdir:app'

self = <tests.parametric.test_tracer.Test_ProcessTags_ServiceName object at 0x7f3b3e49c260>
test_agent = <utils.docker_fixtures._test_agent.TestAgentAPI object at 0x7f3b3e208080>
test_library = <utils.docker_fixtures._test_clients._test_client_parametric.ParametricTestClientApi object at 0x7f3b3de464e0>

    @parametrize("library_env", [{"DD_EXPERIMENTAL_PROPAGATE_PROCESS_TAGS_ENABLED": "true"}])
    def test_process_tag_svc_auto(self, test_agent: TestAgentAPI, test_library: APMLibrary) -> None:
        """When DD_SERVICE is unset, process tags must include svc.auto:<default_svc_name>"""
...

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 2401bea | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!}