Skip to content

Commit e91f35c

Browse files
mikahanninenclaude
andauthored
security: upgrade transitive dependencies to fix 100 Dependabot vulnerabilities (#1318)
* security: upgrade transitive dependencies to fix vulnerabilities Run uv lock --upgrade on all packages (except assistant) to fix: - h11 CVE-2025-43859 (critical) - urllib3, cryptography, pillow, pypdf vulnerabilities Key upgrades: - cryptography 46.0.4 -> 46.0.5 - pypdf 6.6.2 -> 6.7.5 - h11 to 0.16.0 - pillow 12.1.0 -> 12.1.1 Also fix compatibility with jsonpath-ng 1.8.0 which changed the Index class API from 'index' attribute to 'indices' tuple. Skipped: assistant (blocked by robocorp-flet httpx/h11 conflicts) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * security: fix remaining dependabot vulnerabilities Fix upper-bound version constraints that were blocking secure versions: - packages/main: cryptography>=44.0.1,<45 -> >=46.0.5 - packages/recognition: pillow >=10.2.0,<12.0.0 -> >=10.2.0 (allows 12.1.1 on Python 3.10+) - packages/pdf: pypdf >=6.6.2 -> >=6.7.5 Fix sema4ai cryptography via override-dependencies since robocorp-vault 1.3.9 hard-caps cryptography<46.0.0: - packages/sema4ai: add override-dependencies = ["cryptography>=46.0.5"] Add recognition and pdf as local uv sources in root pyproject.toml so the root uv.lock resolves updated constraints (pillow 12.1.1 for Python >= 3.10). Regenerate lock files for main, recognition, sema4ai, and root. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 7a8d1ad commit e91f35c

18 files changed

Lines changed: 5224 additions & 4653 deletions

File tree

packages/aws/uv.lock

Lines changed: 436 additions & 437 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/core/uv.lock

Lines changed: 251 additions & 275 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/devutils/uv.lock

Lines changed: 323 additions & 286 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/google/uv.lock

Lines changed: 528 additions & 527 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/hubspot/uv.lock

Lines changed: 455 additions & 438 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/main/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ dependencies = [
5656
"tweepy>=3.8.0",
5757
"graphviz>=0.13.2",
5858
"notifiers>=1.3.3",
59-
"cryptography>=44.0.1,<45",
59+
"cryptography>=46.0.5",
6060
"mss>=6.0.0",
6161
"chardet>=3.0.0",
6262
"PySocks>=1.5.6,!=1.5.7,<2.0.0",

packages/main/src/RPA/JSON.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,11 @@ def filter(self, fn: Callable[[JSONType], bool], data: JSONType) -> JSONType:
2121
for datum in reversed(self.find(data)):
2222
index_obj = datum.path
2323
if isinstance(data, dict):
24-
index_obj.index = list(data)[index_obj.index]
24+
# Convert numeric index to dictionary key.
25+
# jsonpath-ng 1.8.0+ uses 'indices' tuple instead of 'index'.
26+
numeric_index = index_obj.indices[0]
27+
dict_key = list(data)[numeric_index]
28+
index_obj.indices = (dict_key,)
2529
index_obj.filter(fn, data)
2630
return data
2731

packages/main/uv.lock

Lines changed: 434 additions & 391 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/openai/uv.lock

Lines changed: 329 additions & 292 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/pdf/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ dependencies = [
2727
"rpaframework-core >=12.1.0",
2828
"robotframework >=4.0.0, !=4.0.1, !=6.1.0, <8.0.0",
2929
"pdfminer.six >=20251107",
30-
"pypdf >=6.6.2",
30+
"pypdf >=6.7.5",
3131
"fpdf2 >=2.8.4",
3232
"docutils>=0.21.2",
3333
]

0 commit comments

Comments
 (0)