fix(deps): resolve all Dependabot security alerts

[gkorland]

Summary

Fixes all 30 open Dependabot security alerts by bumping vulnerable dependencies to their patched versions.

Changes

Python (pyproject.toml + uv.lock)

• litellm ~=1.82.0 → ~=1.83.0 — fixes 4 alerts (2 critical, 2 high)
  • Authentication bypass via OIDC userinfo cache key collision
  • Privilege escalation via unrestricted proxy configuration endpoint
• fastmcp >=2.13.1 → >=3.2.0 — fixes 2 critical alerts
  • SSRF & path traversal vulnerability in OpenAPI provider
• aiohttp added >=3.13.4 constraint — fixes 20 alerts (various severities)
  • Duplicate Host headers, header injection, multipart bypass, memory DoS, CRLF injection, cookie leaks, SSRF on Windows, unbounded DNS cache DoS, unlimited trailer headers
• Updated fastmcp.server.openapi import to non-deprecated fastmcp.server.providers.openapi

JavaScript (package.json + package-lock.json)

• lodash-es override to 4.18.1 — fixes 4 alerts (2 high, 2 medium)
  • Prototype pollution via array path bypass in _.unset and _.omit
  • Code injection via _.template imports key names

Testing

• uv sync — dependencies resolve cleanly
• make lint — pylint 10/10, ESLint passes
• make build-prod — frontend builds successfully with lodash-es 4.18.1
• Import verification: from fastmcp.server.providers.openapi import MCPType, RouteMap works

Memory / Performance Impact

N/A — dependency version bumps only.

Related Issues

Resolves Dependabot alerts #96–#125 (all 30 open alerts)

Summary by CodeRabbit

• Chores
  • Updated dependencies: upgraded LiteLLM and FastMCP to newer versions
  • Added aiohttp as a new dependency
  • Pinned transitive dependency version for stability

[overcut-ai]

Completed Working on "Code Review"

✅ Code review complete. No issues found - all changes look good! ✅

✅ Workflow completed successfully.

---

👉 View complete log

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 869c3999-c081-426a-89c2-e56a32ddf306

📥 Commits

Reviewing files that changed from the base of the PR and between 4695d0d and da53e66.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• api/app_factory.py
• package.json
• pyproject.toml

---

📝 Walkthrough

Walkthrough

Updated import paths to reflect package restructuring in FastMCP, with corresponding dependency version bumps in both Python and Node.js ecosystems. No functional logic changes were made; import statements and dependency constraints were realigned to support the new package organization.

Changes

Cohort / File(s)	Summary
FastMCP Import Path Update api/app_factory.py	Updated import source for MCPType and RouteMap from fastmcp.server.openapi to fastmcp.server.providers.openapi, reflecting package restructuring.
Python Dependencies pyproject.toml	Upgraded litellm to ~=1.83.0, bumped fastmcp to >=3.2.0 to align with package changes, and added new dependency aiohttp>=3.13.4.
Node.js Dependency Resolution package.json	Pinned lodash-es to version 4.18.1 via package overrides to ensure consistent dependency resolution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Poem

🐰 Hopping through imports, restructuring neat,
FastMCP's path now complete and sweet,
Versions bumped with a gentle bounce,
Dependencies locked, precision we pounce!
Code flows forward, clean as can be,
A refactor delight for all to see! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'fix(deps): resolve all Dependabot security alerts' directly and accurately summarizes the main objective of the changeset: updating dependencies to fix security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/dependabot-security-alerts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[railway-app]

🚅 Deployed to the QueryWeaver-pr-517 environment in queryweaver

Service	Status	Web	Updated (UTC)
QueryWeaver	✅ Success (View Logs)	Web	Apr 4, 2026 at 9:40 pm

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 0e924c1.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

pyproject.toml

Package	Version	License	Issue Type
aiohttp	>= 3.13.4	Null	Unknown License
fastmcp	>= 3.2.0	Null	Unknown License

OpenSSF Scorecard

Package	Version	Score	Details
pip/aiohttp	>= 3.13.4	Unknown	Unknown
pip/fastmcp	>= 3.2.0	Unknown	Unknown

Scanned Files

• pyproject.toml

[galshubeli]

@copilot resolve merge conflict

[Copilot]

@copilot resolve merge conflict

Resolved in 0e924c1. Merged staging into this branch — the only conflict was in package-lock.json. Took staging's version since staging already has lodash-es at 4.18.1 directly (without needing root-level overrides). All security fixes are preserved: litellm~=1.83.0, fastmcp>=3.2.0, and aiohttp>=3.13.4.