fix: address all 8 open Dependabot security alerts#184
Merged
Conversation
- black: ^25.1.0 → >=26.3.1 (high: arbitrary file write, alert #19) - pytest: ^8.4.1 → >=9.0.3 (medium: vulnerable tmpdir handling, alert #27) - cryptography: >=44.0.1 → >=46.0.7 (low+medium: buffer overflow + DNS constraint bypass, alerts #23 and #25; python_version marker preserved) - langchain-core: pinned >=1.2.28 (high+medium: path traversal + f-string injection, alerts #22 and #26; resolved to 1.2.29) - pygments: pinned >=2.20.0 (low: ReDoS via GUID regex, alert #24) - requests: pinned >=2.33.0 (medium: insecure temp file reuse, alert #21; resolved to 2.33.1) Transitive deps (langchain-core, pygments, requests) are added as explicit lower-bound dev constraints so future resolver runs cannot silently downgrade them back into a vulnerable range.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Poetry dependency set to remediate multiple Dependabot security alerts by bumping direct dev tools and by adding explicit constraints for previously-transitive vulnerable packages, then regenerates poetry.lock with the resolved secure versions.
Changes:
- Raise minimum versions for
black,pytest, andcryptographyin dev dependencies. - Add explicit dev constraints for
langchain-core,pygments, andrequeststo prevent resolving into vulnerable ranges. - Regenerate
poetry.lockto reflect the new dependency resolutions.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| pyproject.toml | Updates dev dependency constraints and adds explicit lower-bound constraints for vulnerable transitive deps. |
| poetry.lock | Regenerated lockfile reflecting the upgraded/resolved dependency graph. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/redis-developer/langgraph-redis/sessions/52d02816-a3c7-4652-943e-a42232554f1d Co-authored-by: bsbodden <24109+bsbodden@users.noreply.github.com>
…aints
- Regenerate poetry.lock which was stale after Copilot's pyproject.toml edits
(CI was failing with 'pyproject.toml changed significantly since poetry.lock
was last generated')
- Add upper bounds to transitive security constraints per review feedback:
langchain-core: >=1.2.28,<2
pygments: >=2.20.0,<3
requests: >=2.33.1,<3
This keeps the resolver from silently picking up future major versions while
still enforcing the security minimums.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dcode_response#24)Transitive deps (langchain-core, pygments, requests) are added as explicit lower-bound dev constraints so future resolver runs cannot silently downgrade them back into a vulnerable range.