Commit 15eada4
authored
Remediates the pip side of the open Dependabot vulnerability alerts (the npm
side is handled by the dependency-update PRs). Bumps direct runtime deps and
adds explicit floors for vulnerable transitive deps so `uv lock` resolves to
patched versions regardless of the parents' lower bounds.
Direct:
- aiohttp >=3.14.0 (parser/zip-bomb DoS)
- gitpython >=3.1.50 (command injection / RCE via core.hooksPath, path traversal)
- requests >=2.33.0, python-dotenv >=1.2.2
Transitive security floors (pulled by fastapi / fastapi-users / mcp / python-jose / keyring):
- starlette >=1.0.1 (Range-header FileResponse DoS) — carries fastapi 0.119 -> 0.136
- python-multipart >=0.0.27 (arbitrary file write + DoS)
- pyjwt >=2.12.0 (unknown `crit` header), cryptography >=46.0.7 (SECT subgroup attack)
- urllib3 >=2.7.0, pyasn1 >=0.6.3, mcp >=1.23.0, idna >=3.15
Dev: black >=26.3.1 (cache-filename arbitrary write)
Resolved: starlette 1.3.1, fastapi 0.136.3, fastapi-users 15.0.5, mcp 1.27.2,
cryptography 49.0.0, aiohttp 3.14.1 (full list in uv.lock).
Deferred (tracked in #658): pytest 9 (major test-runner). Dismissed: ecdsa
Minerva timing — no fix exists and auth uses HS256 (HMAC), so ECDSA P-256 is
not on the JWT path.
1 parent 2c8f3c1 commit 15eada4
2 files changed
Lines changed: 292 additions & 211 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | 37 | | |
38 | | - | |
| 38 | + | |
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
42 | 42 | | |
43 | | - | |
44 | | - | |
| 43 | + | |
| 44 | + | |
45 | 45 | | |
46 | 46 | | |
47 | 47 | | |
| |||
61 | 61 | | |
62 | 62 | | |
63 | 63 | | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
64 | 75 | | |
65 | 76 | | |
66 | 77 | | |
| |||
73 | 84 | | |
74 | 85 | | |
75 | 86 | | |
76 | | - | |
| 87 | + | |
77 | 88 | | |
78 | 89 | | |
79 | 90 | | |
| |||
0 commit comments