Files
ai-workflow-course/modules/15-security-scanning/lab/requirements.txt
T
claude 389ac2e460 style(no-slop): remove every em-dash + banned words across all modules + capstone
Apply the no-ai-slop standard (now binding in AGENTS.md): the em-dash character is
banned outright (restructured, not blind-replaced), plus the banned word/phrase
list (delve, leverage, robust, seamless, truly, unlock, etc.). 0 em-dashes remain
in modules + capstone; the only "robust" left is the planted M10 ai-change.patch
trap. Module H1 titles use a colon separator.

All deliberate teaching devices preserved; labs compile/parse (py/sh/yaml/json);
no junk. AGENTS.md updated with the hard no-slop rules.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TfzV5QvtPDz8LJS3Pu5VLT
2026-06-22 23:21:09 -04:00

25 lines
1.4 KiB
Plaintext

# Dependencies an AI "suggested" for the tasks-app cloud-sync feature.
#
# This file is deliberately booby-trapped with the three things AI gets wrong about dependencies.
# Read it before you run anything; every line looks plausible, which is the whole problem.
#
# Work through it in Part B of the lab:
# 1) `pip-audit -r requirements.txt` will FAIL TO RESOLVE because of the bad names below.
# 2) Comment out the unresolvable lines (do NOT "autocorrect" them to the nearest real name).
# 3) Re-run; the real-but-old package will report an advisory. Bump it until the scan is clean.
# (1) REAL package, pinned to a KNOWN-VULNERABLE old version.
# SCA should flag an advisory here and tell you the fixed version. (Verify-before-publish:
# confirm this version still trips your scanner; re-pin if the advisory DB has moved.)
requests==2.19.1
# (2) TYPOSQUAT of a real package ("requests"). One transposed letter. Does not exist on the
# public index today; the resolver will reject it. The danger isn't the 404; it's "fixing"
# it by guessing instead of verifying what was actually meant.
reqeusts==2.31.0
# (3) HALLUCINATION: a plausible-but-invented name the model produced from thin air. This is the
# slopsquatting target: register this name with malware and the next person to `pip install`
# gets owned. Confirm it does not resolve; never add it without verifying the real project.
task-cloud-sync-client==1.4.2