containerfile: consolidate security pins in requirements.txt

Containerfile.slim

@@ -18,10 +18,9 @@ RUN python -m venv /opt/venv
 ENV PATH="/opt/venv/bin:$PATH"
 RUN pip install --no-cache-dir --upgrade "pip>=25.3" wheel
 
-# Install Python dependencies
+# Install Python dependencies (includes security pins from requirements.txt)
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt gunicorn && \
-    pip install --no-cache-dir --upgrade "pip>=25.3" "jaraco.context>=6.1.0"
+RUN pip install --no-cache-dir -r requirements.txt gunicorn
 
 
 # Stage 2: Alpine runtime (minimal)
@@ -30,8 +29,10 @@ FROM python:3.11-alpine
 LABEL maintainer="FlaskPaste"
 LABEL description="Minimal secure pastebin REST API (Alpine)"
 
-# Upgrade base image pip to fix CVE-2025-8869
-RUN pip install --no-cache-dir --upgrade "pip>=25.3" "jaraco.context>=6.1.0"
+# Apply security fixes to base image (versions from requirements.txt)
+COPY requirements.txt /tmp/
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir -r /tmp/requirements.txt && rm /tmp/requirements.txt
 
 # Create non-root user
 RUN addgroup -g 65532 -S flaskpaste && adduser -u 65532 -S -G flaskpaste flaskpaste

requirements.txt

@@ -11,6 +11,7 @@ prometheus-flask-exporter>=0.23
 cryptography>=42.0
 
 # Security fixes (transitive dependency pins)
+pip>=25.3
 urllib3>=2.6.3
 jaraco.context>=6.1.0
 setuptools>=80.0