Skip to content

Commit 15eada4

Browse files
authored
fix(deps): patch high-severity pip CVEs — runtime bumps + transitive security floors (#659) (#670)
Remediates the pip side of the open Dependabot vulnerability alerts (the npm side is handled by the dependency-update PRs). Bumps direct runtime deps and adds explicit floors for vulnerable transitive deps so `uv lock` resolves to patched versions regardless of the parents' lower bounds. Direct: - aiohttp >=3.14.0 (parser/zip-bomb DoS) - gitpython >=3.1.50 (command injection / RCE via core.hooksPath, path traversal) - requests >=2.33.0, python-dotenv >=1.2.2 Transitive security floors (pulled by fastapi / fastapi-users / mcp / python-jose / keyring): - starlette >=1.0.1 (Range-header FileResponse DoS) — carries fastapi 0.119 -> 0.136 - python-multipart >=0.0.27 (arbitrary file write + DoS) - pyjwt >=2.12.0 (unknown `crit` header), cryptography >=46.0.7 (SECT subgroup attack) - urllib3 >=2.7.0, pyasn1 >=0.6.3, mcp >=1.23.0, idna >=3.15 Dev: black >=26.3.1 (cache-filename arbitrary write) Resolved: starlette 1.3.1, fastapi 0.136.3, fastapi-users 15.0.5, mcp 1.27.2, cryptography 49.0.0, aiohttp 3.14.1 (full list in uv.lock). Deferred (tracked in #658): pytest 9 (major test-runner). Dismissed: ecdsa Minerva timing — no fix exists and auth uses HS256 (HMAC), so ECDSA P-256 is not on the JWT path.
1 parent 2c8f3c1 commit 15eada4

2 files changed

Lines changed: 292 additions & 211 deletions

File tree

pyproject.toml

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -32,16 +32,16 @@ dependencies = [
3232
"websockets>=12.0",
3333
"pydantic>=2.6.0",
3434
"pydantic-settings>=2.1.0",
35-
"python-dotenv>=1.0.0",
35+
"python-dotenv>=1.2.2",
3636
"sqlalchemy>=2.0.0",
3737
"aiosqlite>=0.19.0",
38-
"aiohttp>=3.9.0",
38+
"aiohttp>=3.14.0",
3939
"httpx>=0.27.0",
4040
"typer>=0.9.0",
4141
"rich>=13.7.0",
4242
"textual>=0.86.0",
43-
"requests>=2.31.0",
44-
"gitpython>=3.1.40",
43+
"requests>=2.33.0",
44+
"gitpython>=3.1.50",
4545
"pyyaml>=6.0.0",
4646
"tree-sitter>=0.20.4",
4747
"tree-sitter-python>=0.20.4",
@@ -61,6 +61,17 @@ dependencies = [
6161
"jinja2>=3.1.6",
6262
"slowapi>=0.1.9",
6363
"rapidfuzz>=3.0.0",
64+
# Security floors — pin transitive deps to patched versions for Dependabot CVE alerts (#659).
65+
# These are pulled by fastapi / fastapi-users / mcp / python-jose / keyring; floored here so
66+
# `uv lock` resolves to non-vulnerable versions regardless of the parents' lower bounds.
67+
"starlette>=1.0.1", # Range-header FileResponse O(n^2) DoS (forces a compatible fastapi)
68+
"python-multipart>=0.0.27", # arbitrary file write + DoS in multipart parsing
69+
"pyjwt>=2.12.0", # accepts unknown `crit` header extensions
70+
"cryptography>=46.0.7", # subgroup attack on SECT curves
71+
"urllib3>=2.7.0", # header leak across redirects, decompression bombs
72+
"pyasn1>=0.6.3", # decoder DoS / unbounded recursion
73+
"mcp>=1.23.0", # DNS-rebinding protection off by default
74+
"idna>=3.15", # DoS in IDNA processing
6475
]
6576

6677
[project.optional-dependencies]
@@ -73,7 +84,7 @@ dev = [
7384
"pytest-cov>=4.1.0",
7485
"pytest-json-report>=1.5.0",
7586
"pytest-timeout>=2.3.0",
76-
"black>=24.1.0",
87+
"black>=26.3.1",
7788
"ruff>=0.2.0",
7889
"mypy>=1.8.0",
7990
"pre-commit>=3.5.0",

0 commit comments

Comments
 (0)