Skip to content

Commit 2528741

Browse files
authored
fix: bump pytest, aiohttp, and cryptography for security CVEs (#535)
* fix: bump pytest, aiohttp, and cryptography for security CVEs - pytest 9.0.2 β†’ 9.0.3 (CVE-2025-71176, High β€” RCE via symlink TOCTOU) - aiohttp 3.13.3 β†’ 3.13.5 (10 Medium CVEs β€” DoS, CRLF injection, credential theft, request smuggling) - cryptography 46.0.6 β†’ 46.0.7 (CVE-2026-39892, Medium β€” buffer overflow on Python >3.11) Add constraint-dependencies for transitive deps (aiohttp, cryptography) to enforce minimum safe versions across both workspace and e2e lockfiles. * style: fix indentation in tests_e2e/pyproject.toml Match the 2-space indentation used throughout the file.
1 parent 54d51bd commit 2528741

File tree

3 files changed

+179
-163
lines changed

3 files changed

+179
-163
lines changed

β€Žpyproject.tomlβ€Ž

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,12 +31,19 @@ members = [
3131
# IMPORTANT: This root is NOT a package. It only defines workspace configuration.
3232
package = false
3333
required-version = ">=0.7.10"
34+
# Minimum versions for transitive dependencies with known security vulnerabilities.
35+
# aiohttp 3.13.3: CVE-2026-22815, CVE-2026-34513 through CVE-2026-34525 (multiple DoS, CRLF injection, credential theft)
36+
# cryptography 46.0.6: CVE-2026-39892 (buffer overflow on Python >3.11)
37+
constraint-dependencies = [
38+
"aiohttp>=3.13.5",
39+
"cryptography>=46.0.7",
40+
]
3441

3542
[dependency-groups]
3643
dev = [
3744
"jsonpath-ng>=1.5.3,<2",
3845
"pre-commit>=4.0.0,<5",
39-
"pytest>=9.0.2,<10",
46+
"pytest>=9.0.3,<10",
4047
"pytest-asyncio>=1.3.0,<2",
4148
"pytest-cov>=7.0.0,<8",
4249
"pytest-env>=1.2.0,<2",

β€Žtests_e2e/pyproject.tomlβ€Ž

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ data-designer = { path = "../packages/data-designer" }
1212

1313
[dependency-groups]
1414
dev = [
15-
"pytest>=9.0.2,<10",
15+
"pytest>=9.0.3,<10",
1616
]
1717

1818
[project.entry-points."data_designer.plugins"]
@@ -31,6 +31,11 @@ env = [
3131
[tool.uv]
3232
package = true
3333
required-version = ">=0.7.10"
34+
# Minimum versions for transitive dependencies with known security vulnerabilities.
35+
constraint-dependencies = [
36+
"aiohttp>=3.13.5",
37+
"cryptography>=46.0.7",
38+
]
3439

3540
[build-system]
3641
requires = ["hatchling"]

0 commit comments

Comments
Β (0)