fix(security): remediate Dependabot alerts (#337)#344
Conversation
…files Bump litellm, langchain-core, starlette, and transitive deps in root uv.lock; add pnpm overrides for shell-quote, form-data, ws, tmp, and vite; restore demo tool pyproject.toml files and refresh their lockfiles (drops python-jose/ecdsa). Resolves dependabot#483 Resolves dependabot#366 Resolves dependabot#375 Resolves dependabot#376 Resolves dependabot#478 Resolves dependabot#480 Resolves dependabot#408 Resolves dependabot#457 Resolves dependabot#423 Resolves dependabot#396 Resolves dependabot#451 Resolves dependabot#359 Resolves dependabot#324 Resolves dependabot#363 Resolves dependabot#362 Resolves dependabot#443 Resolves dependabot#445 Resolves dependabot#448 Resolves dependabot#450 Resolves dependabot#295 Resolves dependabot#296 Resolves dependabot#297 Fixes #337
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (3)
📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughMinimum version floors are raised for security in both the Python ( ChangesSecurity Dependency Version Floor Bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
CRM and email MCP demo subprojects resolve from the root lockfile; drop per-subproject manifests and lockfiles added in the prior commit.
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
src/cuga/demo_tools/crm/pyproject.toml (1)
15-15: ⚡ Quick winRemove redundant
python-multipartconstraint.
python-multipart>=0.0.27appears in both the maindependencieslist (line 15) andconstraint-dependencies(line 42). Since it's already a direct dependency, the constraint is redundant. Theconstraint-dependenciessection is intended for transitive dependencies that aren't explicitly declared.♻️ Simplify by removing the constraint
[tool.uv] dev-dependencies = [ "pytest>=7.4.0", "pytest-asyncio>=0.21.0", "httpx>=0.25.0", "faker>=20.1.0", ] constraint-dependencies = [ "starlette>=1.3.1", - "python-multipart>=0.0.27", "mako>=1.3.11", "pyasn1>=0.6.3", "pyjwt[crypto]>=2.12.0", ]Also applies to: 42-42
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/cuga/demo_tools/crm/pyproject.toml` at line 15, Remove the redundant `python-multipart>=0.0.27` entry from the constraint-dependencies section in pyproject.toml. Since python-multipart is already declared as a direct dependency in the main dependencies list, it should not be repeated in constraint-dependencies, which is reserved for transitive dependencies only. Delete the python-multipart constraint from line 42.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pyproject.toml`:
- Line 12: Clarify the security rationale for langchain-core>=1.3.3 in the
pyproject.toml file. Add a comment or documentation explaining whether this
version bump addresses a specific security advisory (and if so, reference the
advisory ID) or if it is purely a compatibility requirement. Additionally,
review the mako version pin and associated advisory comments: remove the invalid
advisory ID GHSA-2mpv-x229-jh2r from the mako comment, and evaluate whether
upgrading mako to >=1.3.12 (instead of >=1.3.11) is necessary to address the
CVE-2026-44307 / GHSA-2h4p-vjrc-8xpq path traversal vulnerability if it falls
within the project's security scope.
---
Nitpick comments:
In `@src/cuga/demo_tools/crm/pyproject.toml`:
- Line 15: Remove the redundant `python-multipart>=0.0.27` entry from the
constraint-dependencies section in pyproject.toml. Since python-multipart is
already declared as a direct dependency in the main dependencies list, it should
not be repeated in constraint-dependencies, which is reserved for transitive
dependencies only. Delete the python-multipart constraint from line 42.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 814f307c-8cdc-4f49-8ce7-b00053d70ac4
⛔ Files ignored due to path filters (4)
src/cuga/demo_tools/crm/uv.lockis excluded by!**/*.locksrc/cuga/demo_tools/email_mcp/mcp_server/uv.lockis excluded by!**/*.locksrc/frontend_workspaces/pnpm-lock.yamlis excluded by!**/pnpm-lock.yamluv.lockis excluded by!**/*.lock
📒 Files selected for processing (4)
pyproject.tomlsrc/cuga/demo_tools/crm/pyproject.tomlsrc/cuga/demo_tools/email_mcp/mcp_server/pyproject.tomlsrc/frontend_workspaces/package.json
Document langchain-core GHSA-pjwx-r37v-7724, remove invalid mako GHSA ID, and raise mako floor to 1.3.12 for GHSA-2h4p-vjrc-8xpq per PR review.
Summary
litellm1.89.1,langchain-core1.4.7,starlette1.3.1, plus transitive floors formako,python-multipart,urllib3,pyasn1shell-quote,form-data,ws,tmp, andvite(8.0.16)pyproject.tomloruv.lockper subprojectAlerts addressed
Not fixed in this PR
<70due tomilvus-literequiringpkg_resources— existing accepted-risk constraintnltk.data.load()Fixes #337
Test plan
uv lock --checkpasses at repo rootuv sync --devsucceedscd src/frontend_workspaces && pnpm install --frozen-lockfilesucceedsSummary by CodeRabbit