Skip to content

fix: address security vulnerabilities while maintaining Python 3.9 support#1544

Merged
KRRT7 merged 3 commits into
mainfrom
fix-security-vulnerabilities
Feb 19, 2026
Merged

fix: address security vulnerabilities while maintaining Python 3.9 support#1544
KRRT7 merged 3 commits into
mainfrom
fix-security-vulnerabilities

Conversation

@KRRT7

@KRRT7 KRRT7 commented Feb 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves 12 Dependabot security alerts by constraining vulnerable packages to Python 3.10+ where patches are available.

Changes

Python Dependencies

  • filelock: Pin <3.20.3 for Python 3.9, >=3.20.3 for Python 3.10+
    • Fixes 2 medium-severity TOCTOU symlink vulnerabilities
  • tensorflow: Only install on Python 3.10+ (brings keras >=3.12.1, pillow >=12.1.1)
    • Fixes 8 high-severity keras vulnerabilities including:
    • Fixes 1 high-severity pillow out-of-bounds write (CVE-2025-26082)

JavaScript Dependencies

  • vitest: Update to 4.0.18 in test fixture directory

Python 3.9 Impact

  • Python 3.9 reached EOL in October 2025
  • filelock 3.19.1 remains for Python 3.9 (has known medium-severity TOCTOU vulnerabilities)
  • tensorflow/keras/pillow excluded from Python 3.9 test dependencies
  • All high-severity vulnerabilities are resolved for Python 3.10+

Test Plan

  • CI will verify compatibility across Python 3.9-3.14
  • Python 3.9: Uses filelock 3.19.1, no tensorflow
  • Python 3.10+: Uses filelock 3.24.3, tensorflow 2.20.0 with patched keras/pillow

@KRRT7
fix: address security vulnerabilities while maintaining Python 3.9 su…
3e282ee 
…pport

Resolve 12 Dependabot security alerts by constraining vulnerable packages
to Python 3.10+ where patches are available:

Python dependencies:
- filelock: Pin <3.20.3 for Python 3.9, >=3.20.3 for Python 3.10+
  (fixes TOCTOU symlink vulnerabilities CVE-2024-XXXXX)
- tensorflow: Only install on Python 3.10+ (brings keras >=3.12.1, pillow >=12.1.1)
  (fixes 8 high-severity keras vulnerabilities including arbitrary code execution,
   directory traversal, and 1 high-severity pillow out-of-bounds write)

JavaScript dependencies:
- vitest: Update to latest (4.0.18) in test fixture directory
  (fixes moderate-severity esbuild SSRF vulnerability GHSA-67mh-4wv8-2f99)

Python 3.9 notes:
- filelock 3.19.1 has known TOCTOU vulnerabilities (medium severity)
- tensorflow/keras/pillow excluded from Python 3.9 test dependencies
- Python 3.9 reached EOL in October 2025, vulnerabilities are expected

All high-severity vulnerabilities are resolved for Python 3.10+.
Python 3.9 users should upgrade to 3.10+ for full security patches.
@claude

claude Bot commented Feb 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

PR Review Summary

Prek Checks

✅ Passed — no Python files changed in this PR, so no linting/formatting issues to check.

Mypy

✅ N/A — no Python source files changed.

Code Review

✅ No critical issues found. Changes are well-structured:

  • CI consolidation: Windows tests correctly merged into main unit-tests.yaml workflow using matrix include entries. The PYTHONIOENCODING: utf-8 env var and runs-on: ${{ matrix.os }} are properly set.
  • filelock dependency: Correctly split with Python version markers (>=3.20.3 for 3.10+, <3.20.3 for 3.9) to address TOCTOU symlink vulnerabilities.
  • tensorflow restriction: Properly constrained to python_version >= '3.10' in both main dependencies and test group, resolving 8 high-severity keras CVEs + 1 pillow CVE.
  • vitest update: Bumped from ^2.0.0 to ^4.0.18 in test fixture directory, fixing the esbuild SSRF vulnerability (GHSA-67mh-4wv8-2f99).
  • uv.lock: Correctly updated to reflect all dependency constraint changes.

Test Coverage

N/A — no Python source files were changed in this PR. Changes are limited to:

  • CI workflow files (.github/workflows/)
  • pyproject.toml (dependency constraints only)
  • uv.lock
  • JS test fixture packages (code_to_optimize/js/)

No coverage regression possible from these changes.

Last updated: 2026-02-19

@github-actions github-actions Bot added the workflow-modified This PR modifies GitHub Actions workflows label Feb 19, 2026
@KRRT7
ci: add Windows to unit tests matrix
d09fa5c 
Run unit tests on Windows with Python 3.13 in addition to all Python
versions (3.9-3.14) on Ubuntu. This ensures cross-platform compatibility
is tested while keeping Windows test duration reasonable.
@KRRT7 KRRT7 force-pushed the fix-security-vulnerabilities branch from ca9b4a0 to d09fa5c Compare February 19, 2026 06:34
@KRRT7
ci: consolidate Windows tests into main unit-tests workflow
8199728 
Remove redundant windows-unit-tests.yml and add Windows Python 3.13 job
to the main unit-tests.yaml workflow. Add PYTHONIOENCODING env var for
Windows compatibility.
@KRRT7 KRRT7 merged commit ece8ae2 into main Feb 19, 2026
27 of 28 checks passed
@KRRT7 KRRT7 deleted the fix-security-vulnerabilities branch February 19, 2026 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

workflow-modified This PR modifies GitHub Actions workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@KRRT7