Skip to content

fix(vulnerability): Update package versions with security vulnerabili…#477

Closed
nahua-aignx wants to merge 1 commit intomainfrom
fix/vulnerability-checks
Closed

fix(vulnerability): Update package versions with security vulnerabili…#477
nahua-aignx wants to merge 1 commit intomainfrom
fix/vulnerability-checks

Conversation

@nahua-aignx
Copy link
Collaborator

@nahua-aignx nahua-aignx commented Mar 16, 2026

Fixing the following issue:

nox > pip-audit 
Found 3 known vulnerabilities in 3 packages
Name      Version ID             Fix Versions
--------- ------- -------------- ------------
diskcache 5.6.3   CVE-2025-69872
orjson    3.11.5  CVE-2025-67221 3.11.6
pyjwt     2.10.1  CVE-2026-32597 2.12.0
nox > Command pip-audit  failed with exit co

Copilot AI review requested due to automatic review settings March 16, 2026 07:54
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency constraints/lockfile entries to remediate reported pip-audit vulnerabilities in the SDK’s runtime dependency set.

Changes:

  • Bump pyjwt[crypto] minimum to >=2.12.0 and lock to 2.12.1 (CVE-2026-32597).
  • Add/override orjson>=3.11.6 and lock to 3.11.7 (CVE-2025-67221).
  • Regenerate uv.lock to reflect the updated dependency graph and artifact hashes/URLs.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Raises minimum versions for pyjwt and orjson to address the cited CVEs.
uv.lock Locks updated resolved versions for orjson and pyjwt, plus updates the project requirements metadata accordingly.

pyproject.toml
"filelock>=3.20.1", # CVE-2025-68146
"marshmallow>=3.26.2", # CVE-2025-68480
"fastmcp>=2.0.0,<3", # MCP server - Major version 3 is in beta as of 26/01/2026 and has not been released on PyPI. Upgrade once a stable release is out.
"orjson>=3.11.6", # CVE-2025-67221
@nahua-aignx nahua-aignx requested a review from olivermeyer March 16, 2026 08:04
@codecov
Copy link

codecov bot commented Mar 16, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.
see 7 files with indirect coverage changes

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@neelay-aign neelay-aign neelay-aign approved these changes

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

@olivermeyer olivermeyer Awaiting requested review from olivermeyer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nahua-aignx @neelay-aign