From e846f9d7eb7790f2a5cc5275e80a988692396216 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Sat, 20 Jun 2026 06:52:00 +0000
Subject: [PATCH] chore(deps): pin dependencies

---
 .github/workflows/ci.yml         | 4 ++--
 .github/workflows/new-issues.yml | 2 +-
 Dockerfile                       | 8 ++++----
 docker-compose.yml               | 4 ++--
 package.json                     | 2 +-
 yarn.lock                        | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 93a56d938d..3dd59388cd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,7 +6,7 @@ jobs:
 
     services:
       db:
-        image: postgres:18.3
+        image: postgres:18.3@sha256:7e32e9833a6fb1c92c32552794cb6ed569d51b445a54907d35fc112ef39684db
         # Health checks to wait until postgres has started
         options: >-
           --health-cmd pg_isready
@@ -103,7 +103,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Setup NodeJS
-        uses: actions/setup-node@v2-beta
+        uses: actions/setup-node@27082cecf3ff7a1742dbd5e12605f0cb59dce2d9 # v2-beta
         with:
           node-version: 24.14.0
 
diff --git a/.github/workflows/new-issues.yml b/.github/workflows/new-issues.yml
index 75d3fe65a8..994b90bda1 100644
--- a/.github/workflows/new-issues.yml
+++ b/.github/workflows/new-issues.yml
@@ -8,5 +8,5 @@ on:
 
 jobs:
   add-to-hq:
-    uses: mitodl/ol-github-workflows/.github/workflows/add-to-ol-hq.yaml@main
+    uses: mitodl/ol-github-workflows/.github/workflows/add-to-ol-hq.yaml@edd566dec1edd920d35ab1fb60b589cddc44afad # main
     secrets: inherit
diff --git a/Dockerfile b/Dockerfile
index 1aec8326da..e7dc011873 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build stage
-FROM python:3.13-slim AS builder
+FROM python:3.13-slim@sha256:c33f0bc4364a6881bed1ec0cc2665e6c53c87a43e774aaeab88e6f17af105e4f AS builder
 LABEL maintainer="ODL DevOps <mitx-devops@mit.edu>"
 
 # Set environment variables for build
@@ -38,7 +38,7 @@ ENV PYTHONUNBUFFERED=1 \
 ENV PATH="/opt/venv/bin:$PATH"
 
 # Install uv
-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /usr/local/bin/
+COPY --from=ghcr.io/astral-sh/uv:latest@sha256:d0a0a753ab981624b49c97abc98821c1c09f4ca69d1ef5cee69c501be3d88479 /uv /uvx /usr/local/bin/
 
 COPY pyproject.toml uv.lock /src/
 RUN mkdir -p /opt/venv && chown -R mitodl:mitodl /src /opt/venv
@@ -48,7 +48,7 @@ WORKDIR /src
 RUN uv sync --frozen --no-install-project --no-dev
 
 
-FROM node:24-slim AS node_builder
+FROM node:24-slim@sha256:c2d5ade763cacfb03fe9cb8e8af5d1be5041ff331921fa26a9b231ca3a4f780a AS node_builder
 COPY . /src
 WORKDIR /src
 ENV NODE_ENV=production
@@ -57,7 +57,7 @@ RUN yarn install --immutable \
 
 
 # Runtime stage
-FROM python:3.13-slim AS runtime
+FROM python:3.13-slim@sha256:c33f0bc4364a6881bed1ec0cc2665e6c53c87a43e774aaeab88e6f17af105e4f AS runtime
 
 # Set environment variables for production
 ENV PYTHONUNBUFFERED=1 \
diff --git a/docker-compose.yml b/docker-compose.yml
index 9781418fe2..0cd7fa451d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,7 +20,7 @@ x-extra-hosts: &default-extra-hosts
 
 services:
   db:
-    image: postgres:18.3
+    image: postgres:18.3@sha256:7e32e9833a6fb1c92c32552794cb6ed569d51b445a54907d35fc112ef39684db
     environment:
       POSTGRES_PASSWORD: postgres # pragma: allowlist secret
     ports:
@@ -68,7 +68,7 @@ services:
     extra_hosts: *default-extra-hosts
 
   watch:
-    image: node:24.14.0
+    image: node:24.14.0@sha256:5a593d74b632d1c6f816457477b6819760e13624455d587eef0fa418c8d0777b
     working_dir: /src
     command: >
       /bin/bash -c './webpack_dev_server.sh --install'
diff --git a/package.json b/package.json
index 969395ab4d..fa7e51508a 100644
--- a/package.json
+++ b/package.json
@@ -149,6 +149,6 @@
     "normalize-url": "^9.0.0"
   },
   "devDependencies": {
-    "eslint-plugin-react-hooks": "^5.2.0"
+    "eslint-plugin-react-hooks": "5.2.0"
   }
 }
diff --git a/yarn.lock b/yarn.lock
index 50197255d0..c150e424d6 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6171,7 +6171,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"eslint-plugin-react-hooks@npm:^5.2.0":
+"eslint-plugin-react-hooks@npm:5.2.0":
   version: 5.2.0
   resolution: "eslint-plugin-react-hooks@npm:5.2.0"
   peerDependencies:
@@ -9749,7 +9749,7 @@ __metadata:
     eslint-plugin-flowtype: ^8.0.3
     eslint-plugin-mocha: ^6.3.0
     eslint-plugin-react: ^7.19.0
-    eslint-plugin-react-hooks: ^5.2.0
+    eslint-plugin-react-hooks: 5.2.0
     expose-loader: ^5.0.0
     express: ^5.0.0
     fetch-mock: ^12.0.0