From ee0e1211a61f668626d4edba50509e05b051f98b Mon Sep 17 00:00:00 2001
From: Username <user@mymx.me>
Date: Sun, 18 Jan 2026 16:29:41 +0100
Subject: [PATCH] containerfile: remove vendored jaraco.context dist-info

setuptools vendors jaraco.context 5.3.0 internally; Trivy detects
this even with 6.1.0 installed separately. Remove the vendored
dist-info to silence the false positive.
---
 Containerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index b53a4ea..4930db7 100644
--- a/Containerfile
+++ b/Containerfile
@@ -18,7 +18,8 @@ RUN pip install --no-cache-dir --upgrade pip wheel
 
 # Install Python dependencies (includes security pins for setuptools, jaraco.context)
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt gunicorn
+RUN pip install --no-cache-dir -r requirements.txt gunicorn \
+    && rm -rf /opt/venv/lib/python*/site-packages/setuptools/_vendor/jaraco.context*.dist-info
 
 
 # Stage 2: Runtime image
@@ -31,6 +32,7 @@ LABEL description="Lightweight secure pastebin REST API"
 # Note: System packages upgraded for Trivy scan; app runs from venv
 RUN apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
     && pip install --no-cache-dir --upgrade pip 'setuptools>=80.0' 'jaraco.context>=6.1.0' \
+    && rm -rf /usr/local/lib/python*/site-packages/setuptools/_vendor/jaraco.context*.dist-info \
     && groupadd -r flaskpaste && useradd -r -g flaskpaste flaskpaste
 
 # Copy virtual environment from builder