Skip to content

Bump dependencies to resolve Dependabot security alerts#1606

Open
romanlutz wants to merge 1 commit intomicrosoft:mainfrom
romanlutz:fix/dependabot-vulnerability-bumps
Open

Bump dependencies to resolve Dependabot security alerts#1606
romanlutz wants to merge 1 commit intomicrosoft:mainfrom
romanlutz:fix/dependabot-vulnerability-bumps

Conversation

@romanlutz
Copy link
Copy Markdown
Contributor

@romanlutz romanlutz commented Apr 12, 2026

Summary

Bump dependency version floors to resolve open Dependabot security alerts.

Direct dependencies (pyproject.toml)

  • pypdf: >=6.8.0\ → >=6.10.0\ — fixes 3 alerts (path injection, infinite loop, inefficient decoding)
  • tinytag: >=2.1.1\ → >=2.2.1\ — fixes 1 alert (DoS via SYLT frame parsing)

Optional dependencies (gcg/all)

  • mlflow: >=2.22.0\ → >=3.11.1\ — fixes 8 alerts (command injection, path traversal, auth bypass, XSS)

Transitive dependency constraints (tool.uv)

  • aiohttp: added >=3.13.4\ — fixes 10 alerts (SSRF, header injection, DoS, memory issues)
  • cryptography: >=46.0.5\ → >=46.0.7\ — fixes 2 alerts (buffer overflow, DNS enforcement)
  • requests: added >=2.33.0\ — fixes 1 alert (insecure temp file reuse)
  • PyJWT: added >=2.12.0\ — fixes 1 alert (unknown crit header extensions)
  • Pygments: added >=2.20.0\ — fixes 1 alert (ReDoS via GUID matching)

Frontend

  • axios: \1.14.0\ → \1.15.0\ — fixes 1 critical alert (SSRF via NO_PROXY bypass)

Lockfile cleanup

Packages no longer needed (pyasn1, fastmcp, lupa, diskcache) were removed from the lockfile, resolving their associated alerts.

@romanlutz
Bump dependencies to resolve 28 Dependabot security alerts
1745a64 
Direct dependencies:
- pypdf: >=6.8.0 -> >=6.10.0 (3 alerts: path injection, infinite loop, inefficient decoding)
- tinytag: >=2.1.1 -> >=2.2.1 (1 alert: DoS via SYLT frame parsing)

Optional dependencies (gcg/all):
- mlflow: >=2.22.0 -> >=3.11.1 (8 alerts: command injection, path traversal, auth bypass)

Transitive dependency constraints (tool.uv):
- aiohttp: >=3.13.4 (10 alerts: SSRF, header injection, DoS, memory issues)
- cryptography: >=46.0.5 -> >=46.0.7 (2 alerts: buffer overflow, DNS enforcement)
- requests: >=2.33.0 (1 alert: insecure temp file reuse)
- PyJWT: >=2.12.0 (1 alert: unknown crit header extensions)
- Pygments: >=2.20.0 (1 alert: ReDoS via GUID matching)

Frontend:
- axios: 1.14.0 -> 1.15.0 (1 alert: SSRF via NO_PROXY bypass)

Remaining alerts have no fix available (mlflow microsoft#92/microsoft#109/microsoft#111, lupa, diskcache).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@romanlutz