Skip to content

fix(security): remediate Dependabot alerts (#337)#344

Merged
sami-marreed merged 3 commits into
mainfrom
fix/337-dependabot-security-fixes
Jun 25, 2026
Merged

fix(security): remediate Dependabot alerts (#337)#344
sami-marreed merged 3 commits into
mainfrom
fix/337-dependabot-security-fixes

Conversation

@sami-marreed

@sami-marreed sami-marreed commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps root Python deps: litellm 1.89.1, langchain-core 1.4.7, starlette 1.3.1, plus transitive floors for mako, python-multipart, urllib3, pyasn1
  • Adds frontend pnpm overrides for shell-quote, form-data, ws, tmp, and vite (8.0.16)
  • Demo tools (CRM, email MCP) use the root lockfile only — no separate pyproject.toml or uv.lock per subproject

Alerts addressed

Alert Package Fix
#483 litellm >=1.84.0
#366 langchain-core >=1.3.3
#375, #376 urllib3 >=2.6.3 (existing constraint)
#478, #480 starlette >=1.3.1
#408 shell-quote >=1.8.4 override
#457 form-data >=4.0.6 override
#423 vite >=8.0.16 override
#396 tmp >=0.2.7 override
#451 ws >=8.21.0 override
#359, #324 Mako >=1.3.11 (root constraint)
#363, #362 python-multipart >=0.0.27 (root constraint)
#443, #445, #448, #450 starlette (demo) Resolved via root lockfile after removing demo lockfiles
#295, #296, #297 ecdsa/PyJWT/pyasn1 (CRM) Resolved via root lockfile after removing demo lockfiles

Not fixed in this PR

Fixes #337

Test plan

  • uv lock --check passes at repo root
  • uv sync --dev succeeds
  • cd src/frontend_workspaces && pnpm install --frozen-lockfile succeeds
  • Dependabot alerts above auto-close after merge

Summary by CodeRabbit

  • Chores
    • Upgraded core backend dependencies including langchain-core, litellm, starlette, python-multipart, and mako to ensure improved security posture and compatibility with the latest stable versions.
    • Enhanced frontend build configuration by updating package override constraints for vite, shell-quote, form-data, tmp, ws, and defu to maintain consistent and secure dependency resolution across all development and production environments.

…files

Bump litellm, langchain-core, starlette, and transitive deps in root uv.lock;
add pnpm overrides for shell-quote, form-data, ws, tmp, and vite; restore demo
tool pyproject.toml files and refresh their lockfiles (drops python-jose/ecdsa).

Resolves dependabot#483
Resolves dependabot#366
Resolves dependabot#375
Resolves dependabot#376
Resolves dependabot#478
Resolves dependabot#480
Resolves dependabot#408
Resolves dependabot#457
Resolves dependabot#423
Resolves dependabot#396
Resolves dependabot#451
Resolves dependabot#359
Resolves dependabot#324
Resolves dependabot#363
Resolves dependabot#362
Resolves dependabot#443
Resolves dependabot#445
Resolves dependabot#448
Resolves dependabot#450
Resolves dependabot#295
Resolves dependabot#296
Resolves dependabot#297

Fixes #337
@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d13c3bb2-73c0-4284-bc62-684464a8f28d

📥 Commits

Reviewing files that changed from the base of the PR and between e0cf54d and ac4fecb.

⛔ Files ignored due to path filters (3)
  • src/cuga/demo_tools/crm/uv.lock is excluded by !**/*.lock
  • src/cuga/demo_tools/email_mcp/mcp_server/uv.lock is excluded by !**/*.lock
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • pyproject.toml
🚧 Files skipped from review as they are similar to previous changes (1)
  • pyproject.toml

📝 Walkthrough

Walkthrough

Minimum version floors are raised for security in both the Python (pyproject.toml) and frontend (package.json) dependency manifests. Python bumps cover langchain-core, litellm, starlette, python-multipart, and mako; frontend bumps cover vite and add new pnpm.overrides entries for shell-quote, form-data, tmp, and ws.

Changes

Security Dependency Version Floor Bumps

Layer / File(s) Summary
Root Python security dependency bumps
pyproject.toml
langchain-core raised to >=1.3.3 (GHSA-annotated), litellm raised to >=1.84.0 (fastmcp/security comment updated), and CVE-annotated floor pins added/updated for starlette (>=1.3.1), python-multipart (>=0.0.27), and mako (>=1.3.12).
Frontend pnpm security overrides
src/frontend_workspaces/package.json
pnpm.overrides expanded: vite floor raised to >=8.0.16; new override entries added for shell-quote, form-data, tmp, and ws.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • cuga-project/cuga-agent#134: Also modifies the langchain-core minimum version constraint in pyproject.toml, directly overlapping with this change.

Poem

🐇 A hop through versions, one by one,
The floors raised high beneath the sun,
No CVE shall slip on through,
Each package pinned with comment true,
The warren's safe — our work is done! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(security): remediate Dependabot alerts (#337)' directly and clearly describes the main change—addressing security vulnerabilities by updating dependencies to remediate Dependabot alerts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/337-dependabot-security-fixes

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot added the complexity: medium Moderate scope — multiple files or non-trivial logic label Jun 17, 2026
CRM and email MCP demo subprojects resolve from the root lockfile; drop
per-subproject manifests and lockfiles added in the prior commit.
@sami-marreed
sami-marreed requested a review from gjt-prog June 17, 2026 23:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
src/cuga/demo_tools/crm/pyproject.toml (1)

15-15: ⚡ Quick win

Remove redundant python-multipart constraint.

python-multipart>=0.0.27 appears in both the main dependencies list (line 15) and constraint-dependencies (line 42). Since it's already a direct dependency, the constraint is redundant. The constraint-dependencies section is intended for transitive dependencies that aren't explicitly declared.

♻️ Simplify by removing the constraint
 [tool.uv]
 dev-dependencies = [
     "pytest>=7.4.0",
     "pytest-asyncio>=0.21.0",
     "httpx>=0.25.0",
     "faker>=20.1.0",
 ]
 constraint-dependencies = [
     "starlette>=1.3.1",
-    "python-multipart>=0.0.27",
     "mako>=1.3.11",
     "pyasn1>=0.6.3",
     "pyjwt[crypto]>=2.12.0",
 ]

Also applies to: 42-42

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/cuga/demo_tools/crm/pyproject.toml` at line 15, Remove the redundant
`python-multipart>=0.0.27` entry from the constraint-dependencies section in
pyproject.toml. Since python-multipart is already declared as a direct
dependency in the main dependencies list, it should not be repeated in
constraint-dependencies, which is reserved for transitive dependencies only.
Delete the python-multipart constraint from line 42.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Line 12: Clarify the security rationale for langchain-core>=1.3.3 in the
pyproject.toml file. Add a comment or documentation explaining whether this
version bump addresses a specific security advisory (and if so, reference the
advisory ID) or if it is purely a compatibility requirement. Additionally,
review the mako version pin and associated advisory comments: remove the invalid
advisory ID GHSA-2mpv-x229-jh2r from the mako comment, and evaluate whether
upgrading mako to >=1.3.12 (instead of >=1.3.11) is necessary to address the
CVE-2026-44307 / GHSA-2h4p-vjrc-8xpq path traversal vulnerability if it falls
within the project's security scope.

---

Nitpick comments:
In `@src/cuga/demo_tools/crm/pyproject.toml`:
- Line 15: Remove the redundant `python-multipart>=0.0.27` entry from the
constraint-dependencies section in pyproject.toml. Since python-multipart is
already declared as a direct dependency in the main dependencies list, it should
not be repeated in constraint-dependencies, which is reserved for transitive
dependencies only. Delete the python-multipart constraint from line 42.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 814f307c-8cdc-4f49-8ce7-b00053d70ac4

📥 Commits

Reviewing files that changed from the base of the PR and between 72fafe9 and e0cf54d.

⛔ Files ignored due to path filters (4)
  • src/cuga/demo_tools/crm/uv.lock is excluded by !**/*.lock
  • src/cuga/demo_tools/email_mcp/mcp_server/uv.lock is excluded by !**/*.lock
  • src/frontend_workspaces/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (4)
  • pyproject.toml
  • src/cuga/demo_tools/crm/pyproject.toml
  • src/cuga/demo_tools/email_mcp/mcp_server/pyproject.toml
  • src/frontend_workspaces/package.json

Comment thread pyproject.toml Outdated
Document langchain-core GHSA-pjwx-r37v-7724, remove invalid mako GHSA ID,
and raise mako floor to 1.3.12 for GHSA-2h4p-vjrc-8xpq per PR review.
@sami-marreed
sami-marreed requested review from offerakrabi and removed request for gjt-prog June 24, 2026 07:31
@sami-marreed
sami-marreed merged commit d0731b3 into main Jun 25, 2026
12 checks passed
@sami-marreed
sami-marreed deleted the fix/337-dependabot-security-fixes branch June 25, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

complexity: medium Moderate scope — multiple files or non-trivial logic

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security]: Improve handling and remediation of open Dependabot alerts

2 participants