Patch 39 of 41 dependabot alerts and 7 npm advisories#63
Open
MaxGhenis wants to merge 1 commit into
Open
Conversation
Python (uv.lock, lock-only bumps; pyproject ranges already allowed them): litellm 1.81.15->1.88.1 (the critical alert plus five high), tornado 6.5.7, jupyter-server 2.19.0, mistune 3.2.1, urllib3 2.7.0, aiohttp 3.14.1, pygments 2.20.0, python-dotenv 1.2.2, nbconvert 7.17.1, requests 2.34.2, idna 3.18. Not fixable by bumping: - pytest stays 8.4.2: policyengine-core pins pytest<9 (medium, tmpdir handling in a dev-only test runner) - diskcache 5.6.3: no patched release exists (unsafe pickle; only used for the local self-written litellm response cache) npm (bun audit; dependabot does not scan bun.lock): bump @lobehub/icons to 5.10.0 and pin overrides for dompurify 3.4.8, lodash 4.18.1, lodash-es 4.18.1, postcss 8.5.14, js-cookie 3.0.8, mermaid 11.15.0, uuid 13.0.1 - all transitive, mostly via the @lobehub/icons -> @lobehub/ui graph. brace-expansion 5.0.5 and picomatch 4.0.3 remain: dev/build-only chains where the tree holds two majors and bun's flat overrides cannot scope to one of them. Verified: 279 Python tests, ruff, CLI smoke; app lint, bun tests, and a production next build all pass on the upgraded stack. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
GitHub flags 41 dependabot alerts on the default branch (1 critical, 13 high), all in
uv.lock. Abun auditpass on the app found 9 more npm advisories that dependabot misses because it doesn't scanbun.lock.What
Python — 39 of 41 alerts fixed, lock-only bumps (every pyproject range already allowed the patched versions):
Not fixable by bumping (2 alerts stay open):
pytest8.4.2 (medium, GHSA-6w46-j5rx-g56g):policyengine-corepinspytest<9. Dev-only test runner; clears whenever the policyengine stack bump (e.g. #59) pulls a core that allows pytest 9.diskcache5.6.3 (medium, GHSA-w8v5-vhqr-4h9v): no patched release exists. Used only vialitellm[caching]for the local, self-written response cache in.policybench_cache/— exploitation requires an attacker who can already write local files.npm — 7 of 9 advisories fixed via
@lobehub/icons5.2 → 5.10 plus package.jsonoverrides: dompurify 3.4.8, lodash/lodash-es 4.18.1 (high,_.templatecode injection), postcss 8.5.14, js-cookie 3.0.8, mermaid 11.15.0, uuid 13.0.1. All transitive — none of these ship in the client bundle (they ride in via@lobehub/icons → @lobehub/ui → mermaid/ahooks).Accepted for now (2):
brace-expansion5.0.5 andpicomatch4.0.3 — both dev/build-only (eslint and tailwind/next toolchains), and both trees hold two majors of the package, which bun's flatoverridescan't scope to one side without forcing unrelated consumers across a major.Verification
policybench --helpimports the full CLI against litellm 1.88next build(with static generation) passbun auditdown from 9 advisories to the 2 accepted dev-only onesFollow-up worth considering
@lobehub/iconspulls ~1,000 packages (mermaid, dagre, ahooks, uuid…) to render a handful of provider marks — replacing it with inline SVGs would delete most of this attack surface permanently.🤖 Generated with Claude Code