Skip to content

fix(deps): bump urllib3, cryptography, idna, requests, Pygments, pytest to patch Dependabot alerts#823

Merged
sbrunner merged 1 commit into
prospector-dev:masterfrom
sbrunner:fix/dependabot-security-updates-2025
Jun 22, 2026
Merged

fix(deps): bump urllib3, cryptography, idna, requests, Pygments, pytest to patch Dependabot alerts#823
sbrunner merged 1 commit into
prospector-dev:masterfrom
sbrunner:fix/dependabot-security-updates-2025

Conversation

@sbrunner

Copy link
Copy Markdown
Member

Fixes open Dependabot alerts by bumping affected dependencies to their minimum patched versions:

Dependency From To Alerts fixed
urllib3 2.6.3 2.7.0 #50, #51
cryptography 46.0.4 49.0.0 #43, #46, #48, #53
idna 3.11 3.18 #52
requests 2.32.5 2.34.2 #45
Pygments 2.19.2 2.20.0 #47
pytest 7.4.4 9.1.1 #49

@sbrunner sbrunner requested a review from Copilot June 22, 2026 14:25
@sbrunner sbrunner force-pushed the fix/dependabot-security-updates-2025 branch from 266c2eb to 7a82872 Compare June 22, 2026 14:27

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Poetry dependency set to address Dependabot security alerts by bumping several affected packages and regenerating poetry.lock with newer resolved versions.

Changes:

  • Bumped pytest to the 9.x series and updated the lockfile accordingly.
  • Added explicit minimum-version constraints for cryptography/idna/requests/Pygments/urllib3 in pyproject.toml.
  • Regenerated poetry.lock (now marked as generated by Poetry 2.4.1) to capture the upgraded dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
pyproject.toml Updates dev dependency constraints (pytest + adds min versions for several security-flagged packages).
poetry.lock Regenerated lockfile reflecting upgraded versions (cryptography/idna/requests/Pygments/urllib3/pytest, etc.).
Comments suppressed due to low confidence (1)

pyproject.toml:99

  • These minimum versions don't match the patched versions stated in the PR description / lockfile (e.g., cryptography is locked to 49.0.0 but allows >=48.0.1, idna is locked to 3.18 but allows >=3.15). That makes it easy for a future lock refresh to downgrade back into a vulnerable range. Consider constraining these to the actual minimum patched versions and keeping them within the current major series (caret constraints) for stability.

[tool.ruff]
target-version = "py39"

line-length = 120

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pyproject.toml Outdated
Comment thread pyproject.toml Outdated
@sbrunner sbrunner force-pushed the fix/dependabot-security-updates-2025 branch from 7a82872 to 05237fb Compare June 22, 2026 14:30
…st to patch Dependabot alerts

- urllib3 2.6.3 -> 2.7.0 (alerts prospector-dev#50, prospector-dev#51)
- cryptography 46.0.4 -> 49.0.0 (alerts prospector-dev#43, prospector-dev#46, prospector-dev#48, prospector-dev#53)
- idna 3.11 -> 3.18 (alert prospector-dev#52)
- requests 2.32.5 -> 2.34.2 (alert prospector-dev#45)
- Pygments 2.19.2 -> 2.20.0 (alert prospector-dev#47)
- pytest 7.4.4 -> 9.1.1 (alert prospector-dev#49)
@sbrunner sbrunner force-pushed the fix/dependabot-security-updates-2025 branch from 05237fb to b74e07e Compare June 22, 2026 14:32
@sbrunner

Copy link
Copy Markdown
Member Author

Fix some alert before creating a new release :-)

@sbrunner sbrunner marked this pull request as ready for review June 22, 2026 14:41
@sbrunner sbrunner merged commit 9ed0f29 into prospector-dev:master Jun 22, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants