# Chainguard Libraries for JavaScript and CVE remediation for Python libraries

URL: https://edu.chainguard.dev/software-security/learning-labs/ll202510.md
Last Modified: October 30, 2025
Tags: Learning Labs, Chainguard Libraries

Learning Lab for October 2025 about Chainguard Libraries for JavaScript and CVE remediation for Python libraries

The October 2025 Learning Lab with Manfred Moser covers Chainguard Libraries for JavaScript and CVE remediation with Chainguard Libraries for Python. It starts with an overview about libraries and the JavaScript ecosystem and moves on to a demo with npm and pnpm. In the second section Manfred explains the approach for CVE remediation and shows an example project with remediation and scanning with grype.
Sections 0:00 Introduction 1:55 Agenda 2:54 Secure container and the role of libraries 5:20 Software supply chain for libraries and security 6:51 Chainguard Libraries and the JavaScript ecosystem 14:33 Malware in the npm ecosystem 18:39 Chainguard Libraries for JavaScript 25:57 Demoes with npm and pnpm 33:50 Troubleshooting results and additional demos 41:34 Chainguard Libraries for Python 43:39 CVE remediation process and examples 52:03 Demoes with uv and grype 56:25 Further resources 57:35 Next up 58:18 Questions 1:06:00 Wrapping up JavaScript demo The demonstration of Chainguard Libraries for JavaScript walks through the minimal example for pnpm with direct access to the registry and with access to a local repository manager, and shows an equivalent project with npm as well.
CVE remediation demo The example project to showcase the CVE remediation for Python packages uses a simple project setup for use with uv.
The pyproject.toml file contains all relevant configuration:
[project] name = "uv-example" version = "0.1.0" description = "An example project with uv for Chainguard Libraries" readme = "README.md" requires-python = ">=3.13" dependencies = [ "flask==2.0.0", # fix with 2.0.0+cgr.1 "werkzeug==3.0.2", # fix in 3.0.2+cgr.1 "urllib3==1.26.7", # fix in 1.26.7+cgr.1 "setuptools==77.0.3" # fix in 77.0.3+cgr.1 ] [[tool.uv.index]] name = "nexus" #url = "http://localhost:8081/repository/python-all/simple/" url = "http://localhost:8081/repository/python-all-remediated/simple/"Note the declared dependencies just using the plain semantic version. These versions are resolved to the specific versions with the CVE fixes in place if the remediated packages are available.
The script sets up a new virtual environment, builds the project with uv, and then scans for vulnerabilities with grype:
rm -rf bin dist uv.lock python3 -m venv . source ./bin/activate uv cache clean rm -rf lib include uv build uv lock grype . Resources Slide deck Chainguard Libraries product site Chainguard Libraries documentation Chainguard Libraries for JavaScript documentation Chainguard Libraries for Python documentation CVE Remediation for Chainguard Libraries Vulnerability Scanners and Chainguard Libraries