Skip to content

fix(deps): upgrade 6 vulnerable transitive dependencies#134

Merged
luarss merged 2 commits into
mainfrom
fix/dependabot-security-advisories-jun2026
Jun 24, 2026
Merged

fix(deps): upgrade 6 vulnerable transitive dependencies#134
luarss merged 2 commits into
mainfrom
fix/dependabot-security-advisories-jun2026

Conversation

@luarss

@luarss luarss commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

Fixes 16 known vulnerabilities across 6 transitive packages that were stale in uv.lock:

Package Before After Advisories
authlib 1.6.11 1.7.2 PYSEC-2026-188
cryptography 46.0.7 49.0.0 GHSA-537c-gmf6-5ccf
idna 3.11 3.18 PYSEC-2026-215
pydantic-settings 2.13.1 2.14.2 GHSA-4xgf-cpjx-pc3j
pyjwt 2.12.1 2.13.0 PYSEC-2026-175/176/177/178/179
python-multipart 0.0.26 0.0.32 CVE-2026-42561/53538/53539/53540

Previous Dependabot PRs (#110, #115, #128, #133) updated requirements.txt but left uv.lock stale. This PR syncs uv.lock and regenerates both requirements files.

Verified: pip-audit reports No known vulnerabilities found after these upgrades.

Test plan

  • CI passes
  • pip-audit shows no known vulnerabilities

luarss added 2 commits June 22, 2026 22:34
@luarss
fix(deps): upgrade vulnerable transitive dependencies
0c66b52 
Upgrades 6 packages with known security advisories:
- authlib 1.6.11 → 1.7.2 (PYSEC-2026-188)
- cryptography 46.0.7 → 49.0.0 (GHSA-537c-gmf6-5ccf)
- idna 3.11 → 3.18 (PYSEC-2026-215)
- pydantic-settings 2.13.1 → 2.14.2 (GHSA-4xgf-cpjx-pc3j)
- pyjwt 2.12.1 → 2.13.0 (PYSEC-2026-175/176/177/178/179)
- python-multipart 0.0.26 → 0.0.32 (CVE-2026-42561/53538/53539/53540)

Verified clean with pip-audit after upgrade.
@luarss
chore: remove requirements.txt files and reqs Makefile target
59f7720 
Switch fully to uv-managed lockfile; pip-compiled requirements files
are no longer needed.
@luarss luarss enabled auto-merge (squash) June 22, 2026 14:40
@luarss luarss disabled auto-merge June 24, 2026 00:10
@luarss luarss merged commit 3696627 into main Jun 24, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luarss