Skip to content

fix(vulnerability): Update package versions with security vulnerabili…#477

Open
nahua-aignx wants to merge 1 commit intomainfrom
fix/vulnerability-checks
Open

fix(vulnerability): Update package versions with security vulnerabili…#477
nahua-aignx wants to merge 1 commit intomainfrom
fix/vulnerability-checks

Conversation

@nahua-aignx
Copy link
Contributor

@nahua-aignx nahua-aignx commented Mar 16, 2026
edited
Loading

Fixing the following issue:

nox > pip-audit 
Found 3 known vulnerabilities in 3 packages
Name      Version ID             Fix Versions
--------- ------- -------------- ------------
diskcache 5.6.3   CVE-2025-69872
orjson    3.11.5  CVE-2025-67221 3.11.6
pyjwt     2.10.1  CVE-2026-32597 2.12.0
nox > Command pip-audit  failed with exit co

Not upgrading diskcache as its issue CVE-2025-69872 is ignored at the moment due to no fix available.

Copilot AI review requested due to automatic review settings March 16, 2026 07:54
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency constraints/lockfile entries to remediate reported pip-audit vulnerabilities in the SDK’s runtime dependency set.

Changes:

  • Bump pyjwt[crypto] minimum to >=2.12.0 and lock to 2.12.1 (CVE-2026-32597).
  • Add/override orjson>=3.11.6 and lock to 3.11.7 (CVE-2025-67221).
  • Regenerate uv.lock to reflect the updated dependency graph and artifact hashes/URLs.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
pyproject.toml Raises minimum versions for pyjwt and orjson to address the cited CVEs.
uv.lock Locks updated resolved versions for orjson and pyjwt, plus updates the project requirements metadata accordingly.

pyproject.toml
"filelock>=3.20.1", # CVE-2025-68146
"marshmallow>=3.26.2", # CVE-2025-68480
"fastmcp>=2.0.0,<3", # MCP server - Major version 3 is in beta as of 26/01/2026 and has not been released on PyPI. Upgrade once a stable release is out.
"orjson>=3.11.6", # CVE-2025-67221
@nahua-aignx nahua-aignx requested a review from olivermeyer March 16, 2026 08:04
@codecov
Copy link

codecov bot commented Mar 16, 2026
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
650 1 649 10
View the top 1 failed test(s) by shortest run time 
pytest::internal
Stack Traces | 0s run time 
Traceback (most recent call last):
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14....../site-packages/_pytest/main.py", line 318, in wrap_session
    session.exitstatus = doit(config, session) or 0
                         ~~~~^^^^^^^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14....../site-packages/_pytest/main.py", line 372, in _main
    config.hook.pytest_runtestloop(session=session)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/pluggy/_hooks.py", line 512, in __call__
    return self._hookexec(self.name, self._hookimpls.copy(), kwargs, firstresult)
           ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/pluggy/_manager.py", line 120, in _hookexec
    return self._inner_hookexec(hook_name, methods, kwargs, firstresult)
           ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14............/site-packages/pluggy/_callers.py", line 167, in _multicall
    raise exception
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14............/site-packages/pluggy/_callers.py", line 139, in _multicall
    teardown.throw(exception)
    ~~~~~~~~~~~~~~^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/_pytest/logging.py", line 801, in pytest_runtestloop
    return (yield)  # Run all the tests.
            ^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14............/site-packages/pluggy/_callers.py", line 139, in _multicall
    teardown.throw(exception)
    ~~~~~~~~~~~~~~^^^^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/_pytest/terminal.py", line 707, in pytest_runtestloop
    result = yield
             ^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14............/site-packages/pluggy/_callers.py", line 152, in _multicall
    teardown.send(result)
    ~~~~~~~~~~~~~^^^^^^^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/pytest_cov/plugin.py", line 349, in pytest_runtestloop
    self.cov_controller.finish()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14....../site-packages/pytest_cov/engine.py", line 55, in ensure_topdir_wrapper
    return meth(self, *args, **kwargs)
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14....../site-packages/pytest_cov/engine.py", line 293, in finish
    self.cov.stop()
    ~~~~~~~~~~~~~^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/coverage/control.py", line 732, in stop
    self._collector.stop()
    ~~~~~~~~~~~~~~~~~~~~^^
  File ".../python-sdk/python-sdk/.nox............................................./test-3-14-1/lib/python3.14.../site-packages/coverage/collector.py", line 344, in stop
    assert self._collectors[-1] is self, (
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError: Expected current collector to be <Collector at 0x7fbebde1aba0: SysMonitor>, but it's <Collector at 0x7fbe994b0050: SysMonitor>

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@helmut-hoffer-von-ankershoffen
Copy link
Contributor

helmut-hoffer-von-ankershoffen commented Mar 17, 2026

Why was this closed without merge? @neelay-aign @nahua-aignx @olivermeyer? The dependabot PR merged previously only changes the uv.lock file, which has no affect for consumers of python sdk as a dependency.

@nahua-aignx nahua-aignx reopened this Mar 17, 2026
@nahua-aignx nahua-aignx force-pushed the fix/vulnerability-checks branch from cbd5b0c to 413e43e Compare March 17, 2026 14:21
@nahua-aignx
Copy link
Contributor Author

nahua-aignx commented Mar 17, 2026

Why was this closed without merge? @neelay-aign @nahua-aignx @olivermeyer? The dependabot PR merged previously only changes the uv.lock file, which has no affect for consumers of python sdk as a dependency.

Short answer is we didn't know we should pin this precisely. I've re-opened this PR and will merge it.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@olivermeyer
Copy link
Collaborator

olivermeyer commented Mar 17, 2026

Why was this closed without merge? @neelay-aign @nahua-aignx @olivermeyer? The dependabot PR merged previously only changes the uv.lock file, which has no affect for consumers of python sdk as a dependency.

My two cents:

  • For CLI/GUI users, uv will automatically resolve to the latest available version of all dependencies (direct and transitive) every time they run uvx aignostics .... The vulnerability will therefore effectively be resolved whenever a patch is available.
  • For SDK users who manage their own environment and dependencies - I don't think we are responsible for their environments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@neelay-aign neelay-aign neelay-aign approved these changes

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

@olivermeyer olivermeyer Awaiting requested review from olivermeyer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nahua-aignx @helmut-hoffer-von-ankershoffen @olivermeyer @neelay-aign