From acff1aa27bbc5f1cf93359b9f90b62b84a1e0151 Mon Sep 17 00:00:00 2001
From: Anthonios Partheniou <partheniou@google.com>
Date: Thu, 12 Feb 2026 17:16:55 +0000
Subject: [PATCH] fix(nodejs): remove wheel 0.45.1

---
 docker/owlbot/nodejs/Dockerfile           | 6 ++++++
 docker/owlbot/nodejs_mono_repo/Dockerfile | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/docker/owlbot/nodejs/Dockerfile b/docker/owlbot/nodejs/Dockerfile
index 76920d11e..c3692f718 100644
--- a/docker/owlbot/nodejs/Dockerfile
+++ b/docker/owlbot/nodejs/Dockerfile
@@ -105,6 +105,12 @@ RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/whee
 RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl
 RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
 
+# TODO: Remove this code once there is a newer version of virtualenv which does not include wheel 45.1
+# https://github.com/pypa/virtualenv/tree/20.36.1/src/virtualenv/seed/wheels/embed
+# In the interim, remove the bundled wheel 45.1
+# since it does not include a fix for CVE-2026-24049
+RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl
+
 # Set PYTHONPATH to ensure synthtool can be found by Python scripts.
 # Include the virtual environment's site-packages for completeness, though
 # the PATH modification often handles this for executables run directly.
diff --git a/docker/owlbot/nodejs_mono_repo/Dockerfile b/docker/owlbot/nodejs_mono_repo/Dockerfile
index 230007d79..deebfe4ca 100644
--- a/docker/owlbot/nodejs_mono_repo/Dockerfile
+++ b/docker/owlbot/nodejs_mono_repo/Dockerfile
@@ -110,6 +110,12 @@ RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/whee
 RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.3-py3-none-any.whl
 RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/pip-25.0.1-py3-none-any.whl
 
+# TODO: Remove this code once there is a newer version of virtualenv which does not include wheel 45.1
+# https://github.com/pypa/virtualenv/tree/20.36.1/src/virtualenv/seed/wheels/embed
+# In the interim, remove the bundled wheel 45.1
+# since it does not include a fix for CVE-2026-24049
+RUN rm -rf /opt/venv/synthtool/lib/python3.13/site-packages/virtualenv/seed/wheels/embed/wheel-0.45.1-py3-none-any.whl
+
 # Set PYTHONPATH to ensure synthtool can be found by Python scripts.
 # Include the virtual environment's site-packages for completeness.
 ENV PYTHONPATH="/synthtool:$VIRTUAL_ENV/lib/python3.13/site-packages"