Skip to content

Commit f6d091f

Browse files
scale-ballenscale-ballen
authored
fix: remediate Trivy dependency findings (#226)
## Summary Remediates the Trivy high findings reported for AgentEx package locks. ## Changes - Raises backend `python-multipart` from `>=0.0.26` to `>=0.0.27` to resolve CVE-2026-42561. - Adds a workspace uv override for `mako>=1.3.12` so Alembic resolves the fixed Mako release for CVE-2026-44307. - Regenerates `public/uv.lock`, which is the lockfile consumed by AgentEx backend Docker builds. - Bumps AgentEx UI `vite` from `7.3.1` to `7.3.2` after a fresh Trivy pass surfaced two Vite high findings fixed in `7.3.2`. ## Validation - `uv lock --check` - `uv export --frozen --no-dev --package agentex-backend --no-emit-package agentex-backend` - confirmed `mako==1.3.12` - confirmed `python-multipart==0.0.27` - Verified Vite lock metadata resolves to `vite@7.3.2` with npm registry integrity. - Reran Trivy over the AgentEx superproject worktree after this submodule update: - Critical: 0 - High: 0 - Medium: 11 - Low: 2 ## Notes `Mako` is not a direct runtime dependency of AgentEx; it is pulled via Alembic. The uv override is intentional so the resolver keeps Alembic but selects the fixed Mako version. After disk space was recovered, reran `npm install --package-lock-only --ignore-scripts` from `agentex-ui/`. npm completed successfully and produced no additional lockfile drift beyond the intended `vite@7.3.2` patch.
1 parent d9d9543 commit f6d091f

5 files changed

Lines changed: 17 additions & 13 deletions

File tree

agentex-ui/package-lock.json

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

agentex-ui/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@
6666
"@types/react-dom": "^19",
6767
"@types/react-syntax-highlighter": "^15.5.13",
6868
"@vitejs/plugin-react": "^5.1.4",
69-
"vite": "^7.3.1",
69+
"vite": "^7.3.2",
7070
"@vitest/coverage-v8": "^4.0.6",
7171
"@vitest/ui": "^4.0.6",
7272
"eslint": "9.32.0",

agentex/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ dependencies = [
1717
"alembic>=1.13.3,<2",
1818
"psycopg2-binary>=2.9.9,<3",
1919
"docker>=7.1.0,<8",
20-
"python-multipart>=0.0.26",
20+
"python-multipart>=0.0.27",
2121
"aiodocker>=0.23.0,<0.24",
2222
"kubernetes-asyncio>=31.1.0,<32",
2323
"aiohttp>=3.10.9,<4",

pyproject.toml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ override-dependencies = [
3131
"fastapi>=0.135.0",
3232
"starlette>=0.52.0",
3333
"httpx[http2]>=0.28.1,<0.29",
34+
"mako>=1.3.12",
35+
"python-multipart>=0.0.27",
3436
]
3537

3638
[tool.uv.workspace]

uv.lock

Lines changed: 9 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)