Skip to content

deps: pin python-dotenv >=1.2.2 (CVE-2026-28684)#51

Merged
bk86a merged 2 commits into
mainfrom
security/pin-python-dotenv
Apr 23, 2026
Merged

deps: pin python-dotenv >=1.2.2 (CVE-2026-28684)#51
bk86a merged 2 commits into
mainfrom
security/pin-python-dotenv

Conversation

@bk86a
Copy link
Copy Markdown
Owner

@bk86a bk86a commented Apr 23, 2026

Summary

  • Pins transitive dependency python-dotenv to >=1.2.2,<2 to fix CVE-2026-28684.
  • Currently being resolved to 1.0.1 via pydantic-settings / uvicorn[standard]; pip-audit started flagging this and is blocking the open dependabot PRs.

Test plan

  • CI security job passes (pip-audit clean)
  • Other CI checks remain green

🤖 Generated with Claude Code

bk86a and others added 2 commits April 23, 2026 08:50
@bk86a @claude
deps: pin python-dotenv >=1.2.2 to fix CVE-2026-28684
aa81eed 
Transitive dependency (via pydantic-settings/uvicorn[standard]) was
being resolved to 1.0.1, which pip-audit now flags. Pinning directly
at the floor of the fixed version.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bk86a @claude
deps: bump python-dotenv to 1.2.2 in lockfile
84b0e1d 
CI's pip-audit reads requirements.lock; the floor pin in requirements.txt
alone doesn't affect the audited lock. Updating the lock entry directly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: aa81eed591

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread requirements.txt
pydantic>=2,<3
pydantic-settings>=2,<3
slowapi>=0.1,<1
python-dotenv>=1.2.2,<2
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Regenerate lockfile after raising python-dotenv floor

This pin in requirements.txt does not actually change what gets audited or deployed, because both the security workflow (pip-audit -r requirements.lock in .github/workflows/ci.yml) and the container build (pip install -r requirements.lock in Dockerfile) consume requirements.lock, which still contains python-dotenv==1.0.1. As a result, the CVE fix is ineffective in production and the security job can remain blocked until the lockfile is updated to include a safe version.

Useful? React with 👍 / 👎.

@bk86a bk86a merged commit e562cc5 into main Apr 23, 2026
10 checks passed
@bk86a bk86a deleted the security/pin-python-dotenv branch April 23, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bk86a