Skip to content

Commit 8a22525

Browse files
utic-github-cicd-token-generator[bot]utic-renovate[bot]
utic-github-cicd-token-generator[bot]
and
utic-renovate[bot]
authored
fix(deps): upgrade vulnerable transitive dependencies [security] (#75)
## Summary Automated scan found CVEs in transitive dependencies locked in `uv.lock` files. These packages were upgraded to patched versions. ### Remediated vulnerabilities | Package | From | To | Severity | CVE | |---|---|---|---|---| | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34514 | | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34517 | | aiohttp | 3.12.15 | 3.13.3 | Low | CVE-2025-69226 | | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34520 | | aiohttp | 3.12.15 | 3.13.3 | Low | CVE-2025-69224 | | aiohttp | 3.12.15 | 3.13.3 | Medium | CVE-2025-69228 | | aiohttp | 3.12.15 | 3.13.3 | High | CVE-2025-69223 | | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34518 | | aiohttp | 3.12.15 | 3.13.4 | Medium | CVE-2026-34525 | | aiohttp | 3.12.15 | 3.13.3 | Low | CVE-2025-69230 | | aiohttp | 3.12.15 | 3.13.3 | Medium | CVE-2025-69229 | | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34513 | | aiohttp | 3.12.15 | 3.13.3 | Medium | CVE-2025-69227 | | aiohttp | 3.12.15 | 3.13.4 | Medium | CVE-2026-34516 | | aiohttp | 3.12.15 | 3.13.3 | Low | CVE-2025-69225 | | aiohttp | 3.12.15 | 3.13.4 | Low | CVE-2026-34519 | | aiohttp | 3.12.15 | 3.13.4 | Medium | CVE-2026-34515 | | aiohttp | 3.12.15 | 3.13.4 | Medium | CVE-2026-22815 | | filelock | 3.19.1 | 3.20.3 | Medium | CVE-2026-22701 | | filelock | 3.19.1 | 3.20.1 | Medium | CVE-2025-68146 | | jupyterlab | 4.4.7 | 4.4.8 | Low | CVE-2025-59842 | | nbconvert | 7.16.6 | 7.17.0 | High | CVE-2025-53000 | | pip | 25.2 | 25.3 | Medium | CVE-2025-8869 | | pygments | 2.19.2 | 2.20.0 | Low | CVE-2026-4539 | | pypdf | 6.0.0 | 6.6.2 | Medium | CVE-2026-24688 | | pypdf | 6.0.0 | 6.7.2 | Low | CVE-2026-27628 | | pypdf | 6.0.0 | 6.10.0 | Medium | CVE-2026-40260 | | pypdf | 6.0.0 | 6.6.0 | Low | CVE-2026-22691 | | pypdf | 6.0.0 | 6.6.0 | Low | CVE-2026-22690 | | pypdf | 6.0.0 | 6.9.2 | Medium | CVE-2026-33699 | | pypdf | 6.0.0 | 6.7.1 | Medium | CVE-2026-27024 | | pypdf | 6.0.0 | 6.7.5 | Medium | CVE-2026-28804 | | pypdf | 6.0.0 | 6.7.1 | Medium | CVE-2026-27026 | | pypdf | 6.0.0 | 6.7.4 | Medium | CVE-2026-28351 | | pypdf | 6.0.0 | 6.8.0 | Medium | CVE-2026-31826 | | pypdf | 6.0.0 | 6.1.3 | Medium | CVE-2025-62708 | | pypdf | 6.0.0 | 6.4.0 | Medium | CVE-2025-66019 | | pypdf | 6.0.0 | 6.9.1 | Medium | CVE-2026-33123 | | pypdf | 6.0.0 | 6.1.3 | Medium | CVE-2025-62707 | | pypdf | 6.0.0 | 6.7.1 | Medium | CVE-2026-27025 | | pypdf | 6.0.0 | 6.7.3 | Medium | CVE-2026-27888 | | python-multipart | 0.0.20 | 0.0.22 | High | CVE-2026-24486 | | requests | 2.32.5 | 2.33.0 | Medium | CVE-2026-25645 | | starlette | 0.47.3 | 0.49.1 | High | CVE-2025-62727 | | tornado | 6.5.2 | 6.5.5 | Medium | GHSA-78cv-mqj4-43f7 | | tornado | 6.5.2 | 6.5.5 | High | CVE-2026-35536 | | tornado | 6.5.2 | 6.5.5 | High | CVE-2026-31958 | | urllib3 | 2.5.0 | 2.6.0 | High | CVE-2025-66471 | | urllib3 | 2.5.0 | 2.6.3 | High | CVE-2026-21441 | | urllib3 | 2.5.0 | 2.6.0 | High | CVE-2025-66418 | | virtualenv | 20.34.0 | 20.36.1 | Medium | CVE-2026-22702 | ### Skipped (major version bump required) | Package | From | To | Severity | CVE | Reason | |---|---|---|---|---|---| | cryptography | 45.0.7 | 46.0.6 | Low | CVE-2026-34073 | major bump | | cryptography | 45.0.7 | 46.0.7 | Medium | CVE-2026-39892 | major bump | | cryptography | 45.0.7 | 46.0.5 | High | CVE-2026-26007 | major bump | | pip | 25.2 | 26.0 | Low | CVE-2026-1703 | major bump | > These require a major version upgrade and should be planned manually. ### What this PR does 1. Scans all `uv.lock` files with [grype](https://github.com/anchore/grype) for known CVEs 2. Runs `uv lock --upgrade-package <pkg>` for each fixable vulnerability (skips major bumps) 3. Bumps component versions (patch) and updates CHANGELOGs via `version-bump` > Created by [lockfile-security-scan](https://github.com/Unstructured-IO/infra/actions/workflows/lockfile-security-scan.yml). > Targets **transitive dependencies** that Renovate cannot reach. Co-authored-by: utic-renovate[bot] <utic-renovate[bot]@users.noreply.github.com>
1 parent 4ae94b1 commit 8a22525

3 files changed

Lines changed: 137 additions & 85 deletions

File tree

CHANGELOG.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
## 0.1.7
2+
3+
### Security
4+
5+
- **security:** fix(deps): upgrade vulnerable transitive dependencies [security]
6+
17
## 0.1.7-dev0
28

39
### Enhancements

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "uns_mcp"
3-
version = "0.1.6" # Set only non-dev versions to release
3+
version = "0.1.7" # Set only non-dev versions to release
44
description = "MCP server implementation providing structured tools for interacting with the Unstructured API, managing sources, destinations, workflows, and jobs"
55
requires-python = ">=3.12"
66
readme = "README.md"

0 commit comments

Comments
 (0)