Skip to content

fix(deps): upgrade vulnerable transitive dependencies [security]#4334

Merged
lawrence-u10d merged 1 commit intomainfrom
security/lockfile-transitive-deps
Apr 12, 2026
Merged

fix(deps): upgrade vulnerable transitive dependencies [security]#4334
lawrence-u10d merged 1 commit intomainfrom
security/lockfile-transitive-deps

Conversation

@utic-github-cicd-token-generator
Copy link
Copy Markdown
Contributor

@utic-github-cicd-token-generator utic-github-cicd-token-generator Bot commented Apr 12, 2026

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package From To Severity CVE
cryptography 46.0.6 46.0.7 Medium CVE-2026-39892
pypdf 6.9.2 6.10.0 Medium CVE-2026-40260

Skipped (major version bump required)

Package From To Severity CVE Reason
langchain-core 0.3.83 1.2.11 Low CVE-2026-26013 major bump
langchain-core 0.3.83 1.2.22 High CVE-2026-34070 major bump

These require a major version upgrade and should be planned manually.

What this PR does

  1. Scans all uv.lock files with grype for known CVEs
  2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
  3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

@utic-renovate
fix(deps): upgrade vulnerable transitive dependencies [security]
9dc2a8c 
Packages upgraded: cryptography pypdf

Automated by lockfile-security-scan workflow.
@utic-github-cicd-token-generator utic-github-cicd-token-generator Bot added dependencies Pull requests that update a dependency file security labels Apr 12, 2026
@lawrence-u10d lawrence-u10d added this pull request to the merge queue Apr 12, 2026
Merged via the queue into main with commit 029f491 Apr 12, 2026
53 checks passed
@lawrence-u10d lawrence-u10d deleted the security/lockfile-transitive-deps branch April 12, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lawrence-u10d lawrence-u10d lawrence-u10d approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lawrence-u10d