Skip to content

fix(deps): upgrade vulnerable transitive dependencies [security]#4318

Merged
lawrence-u10d merged 1 commit intomainfrom
security/lockfile-transitive-deps
Apr 3, 2026
Merged

fix(deps): upgrade vulnerable transitive dependencies [security]#4318
lawrence-u10d merged 1 commit intomainfrom
security/lockfile-transitive-deps

Conversation

@lawrence-u10d
Copy link
Copy Markdown
Contributor

@lawrence-u10d lawrence-u10d commented Apr 3, 2026
edited by cursor Bot
Loading

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package From To Severity CVE
aiohttp 3.13.3 3.13.4 Low CVE-2026-34514
aiohttp 3.13.3 3.13.4 Low CVE-2026-34517
aiohttp 3.13.3 3.13.4 Low CVE-2026-34520
aiohttp 3.13.3 3.13.4 Low CVE-2026-34518
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34525
aiohttp 3.13.3 3.13.4 Low CVE-2026-34513
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34516
aiohttp 3.13.3 3.13.4 Low CVE-2026-34519
aiohttp 3.13.3 3.13.4 Medium CVE-2026-34515
aiohttp 3.13.3 3.13.4 Medium CVE-2026-22815
authlib 1.6.8 1.6.9 High CVE-2026-28490
authlib 1.6.8 1.6.9 High CVE-2026-28498
authlib 1.6.8 1.6.9 Critical CVE-2026-27962
cryptography 46.0.5 46.0.6 Low CVE-2026-34073
onnx 1.20.1 1.21.0 High CVE-2026-34445
onnx 1.20.1 1.21.0 Medium CVE-2026-34446
onnx 1.20.1 1.21.0 Medium CVE-2026-34447
onnx 1.20.1 1.21.0 High GHSA-q56x-g2fj-4rj6
pyasn1 0.6.2 0.6.3 High CVE-2026-30922
pygments 2.19.2 2.20.0 Low CVE-2026-4539
pyjwt 2.11.0 2.12.0 High CVE-2026-32597

Skipped (major version bump required)

Package From To Severity CVE Reason
langchain-core 0.3.83 1.2.11 Low CVE-2026-26013 major bump
langchain-core 0.3.83 1.2.22 High CVE-2026-34070 major bump

These require a major version upgrade and should be planned manually.

What this PR does

  1. Scans all uv.lock files with grype for known CVEs
  2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
  3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

Note

Medium Risk
Primarily lockfile-only dependency bumps to address CVEs; runtime behavior may change subtly due to upgraded networking/auth/crypto/ML libraries, but no application logic changes are included.

Overview
Bumps release to 0.22.15 and documents the change as a security release.

Upgrades vulnerable transitive dependencies in uv.lock (notably aiohttp, authlib, cryptography, onnx, pyasn1, pygments, pyjwt) and updates lock resolution markers (including s390x splits), with no source-code behavior changes beyond updated dependency versions.

Written by Cursor Bugbot for commit dbac0b2. This will update automatically on new commits. Configure here.

@utic-renovate
fix(deps): upgrade vulnerable transitive dependencies [security]
dbac0b2 
Packages upgraded: aiohttp authlib cryptography onnx pyasn1 pygments pyjwt

Automated by lockfile-security-scan workflow.
@lawrence-u10d lawrence-u10d added dependencies Pull requests that update a dependency file security labels Apr 3, 2026
@lawrence-u10d lawrence-u10d added this pull request to the merge queue Apr 3, 2026
Merged via the queue into main with commit 051b358 Apr 3, 2026
55 checks passed
@lawrence-u10d lawrence-u10d deleted the security/lockfile-transitive-deps branch April 3, 2026 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fxdgear fxdgear fxdgear approved these changes

@tabossert tabossert tabossert approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lawrence-u10d @fxdgear @tabossert