Skip to content

fix(DATAGO-135330): upgrade pip to 26.1+ for CVE-2026-6357, CVE-2026-3219#1562

Merged
Hugo-Pare merged 1 commit into
mainfrom
DATAGO-135330-pip-vulnerability
May 25, 2026
Merged

fix(DATAGO-135330): upgrade pip to 26.1+ for CVE-2026-6357, CVE-2026-3219#1562
Hugo-Pare merged 1 commit into
mainfrom
DATAGO-135330-pip-vulnerability

Conversation

@Hugo-Pare
Copy link
Copy Markdown
Collaborator

@Hugo-Pare Hugo-Pare commented May 25, 2026
edited
Loading

Summary

  • Upgrade pip in venv from 25.3 to 26.1+
  • Fixes CVE-2026-6357 (CVSS 5.3 Medium) - self-update check imports vulnerability
  • Fixes CVE-2026-3219 (CVSS 4.6 Medium) - tar/ZIP concatenation handling

Fixes: DATAGO-135330

Test plan

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings May 25, 2026 18:28
@Hugo-Pare Hugo-Pare self-assigned this May 25, 2026
Copilot AI reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the container build to ensure the Python virtual environment’s pip version is upgraded to a patched release line (26.1+) to address the CVEs called out in DATAGO-135330.

Changes:

  • Add an explicit pip upgrade step after creating /opt/venv to ensure pip>=26.1 is installed in the venv.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Dockerfile Outdated
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 25, 2026
edited
Loading

✅ FOSSA Guard: Licensing (SolaceLabs_solace-agent-mesh) • PASSED

Compared against main (3cb0c3c74fd41214b4727c8eaca27d7a4f885730) • 0 new, 5 total (5 in base)

Scan Report | View Details in FOSSA

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 25, 2026
edited
Loading

✅ FOSSA Guard: Vulnerability (SolaceLabs_solace-agent-mesh) • PASSED

Compared against main (3cb0c3c74fd41214b4727c8eaca27d7a4f885730) • 0 new, 5 total (5 in base)

Scan Report | View Details in FOSSA

@Hugo-Pare Hugo-Pare force-pushed the DATAGO-135330-pip-vulnerability branch 2 times, most recently from c9df750 to f6d3f64 Compare May 25, 2026 18:58
@Hugo-Pare @claude
fix(DATAGO-135330): upgrade pip to 26.1+, jwcrypto to 1.5.7, mermaid …
f361f04 
…to 11.15.0

- pip 26.1.1: CVE-2026-6357, CVE-2026-3219
- jwcrypto 1.5.7: CVE-2026-39373
- mermaid 11.15.0: security update

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Hugo-Pare Hugo-Pare force-pushed the DATAGO-135330-pip-vulnerability branch from f6d3f64 to f361f04 Compare May 25, 2026 19:00
@sonarqube-solacecloud
Copy link
Copy Markdown

sonarqube-solacecloud Bot commented May 25, 2026

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@Hugo-Pare Hugo-Pare merged commit 35ff2d1 into main May 25, 2026
25 of 27 checks passed
@Hugo-Pare Hugo-Pare deleted the DATAGO-135330-pip-vulnerability branch May 25, 2026 20:31
@solace-re-bot-1 solace-re-bot-1 mentioned this pull request May 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ziyanwan ziyanwan ziyanwan approved these changes

Assignees

@Hugo-Pare Hugo-Pare

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hugo-Pare @ziyanwan