Skip to content

fix(deps): upgrade vulnerable transitive dependencies [security]#4317

Closed
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps
Closed

fix(deps): upgrade vulnerable transitive dependencies [security]#4317
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps

Conversation

@lawrence-u10d
Copy link
Copy Markdown
Contributor

@lawrence-u10d lawrence-u10d commented Apr 3, 2026
edited by cursor Bot
Loading

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package From To Severity CVE
aiohttp 3.13.3 3.13.4 Low CVE-2026-34514
aiohttp 3.13.3 3.13.4 Low CVE-2026-34517
aiohttp 3.13.3 3.13.4 Low CVE-2026-34520
aiohttp 3.13.3 3.13.4 Low CVE-2026-34518
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34525
aiohttp 3.13.3 3.13.4 Low CVE-2026-34513
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34516
aiohttp 3.13.3 3.13.4 Low CVE-2026-34519
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34515
aiohttp 3.13.3 3.13.4 Medium CVE-2026-22815
authlib 1.6.8 1.6.9 High CVE-2026-28490
authlib 1.6.8 1.6.9 High CVE-2026-28498
authlib 1.6.8 1.6.9 Critical CVE-2026-27962
cryptography 46.0.5 46.0.6 Low CVE-2026-34073
onnx 1.20.1 1.21.0 High CVE-2026-34445
onnx 1.20.1 1.21.0 Medium CVE-2026-34446
onnx 1.20.1 1.21.0 Medium CVE-2026-34447
onnx 1.20.1 1.21.0 High GHSA-q56x-g2fj-4rj6
pyasn1 0.6.2 0.6.3 High CVE-2026-30922
pygments 2.19.2 2.20.0 Low CVE-2026-4539
pyjwt 2.11.0 2.12.0 High CVE-2026-32597

Skipped (major version bump required)

Package From To Severity CVE Reason
langchain-core 0.3.83 1.2.11 Low CVE-2026-26013 major bump
langchain-core 0.3.83 1.2.22 High CVE-2026-34070 major bump

These require a major version upgrade and should be planned manually.

What this PR does

  1. Scans all uv.lock files with grype for known CVEs
  2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
  3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

Note

Low Risk
Only updates the published version and changelog entry; no runtime code changes are included. Main risk is indirect: consumers will pick up dependency updates in the release.

Overview
Publishes 0.22.15 by bumping __version__ and adding a changelog entry noting a security transitive-dependency upgrade release.

Written by Cursor Bugbot for commit f23babe. This will update automatically on new commits. Configure here.

@utic-renovate
fix(deps): upgrade vulnerable transitive dependencies [security]
f23babe 
Packages upgraded: aiohttp authlib cryptography onnx pyasn1 pygments pyjwt

Automated by lockfile-security-scan workflow.
@lawrence-u10d lawrence-u10d added dependencies Pull requests that update a dependency file security labels Apr 3, 2026
@lawrence-u10d
Copy link
Copy Markdown
Contributor Author

lawrence-u10d commented Apr 3, 2026

Closing: lockfile was rewritten with private index URLs. Will re-run with fix.

@lawrence-u10d lawrence-u10d deleted the security/lockfile-transitive-deps branch April 3, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lawrence-u10d