Skip to content

fix: bump idna, urllib3, pip to resolve pip-audit CVEs#109

Merged
lorr1 merged 1 commit into
mainfrom
fix/dependency-cves
Jun 1, 2026
Merged

fix: bump idna, urllib3, pip to resolve pip-audit CVEs#109
lorr1 merged 1 commit into
mainfrom
fix/dependency-cves

Conversation

@lorr1

@lorr1 lorr1 commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

The Code Quality check has been failing on main since 2026-04-24 at the task security step. pip-audit reports 5 known vulnerabilities across three transitive dependencies:

Package From To Advisories
idna 3.11 3.17 CVE-2026-45409
urllib3 2.6.3 2.7.0 PYSEC-2026-141, PYSEC-2026-142
pip 26.0.1 26.1.2 CVE-2026-3219, CVE-2026-6357

pip is pulled in transitively (pip-audit -> pip-api -> pip), so all three are lock-only bumps via uv lock --upgrade-package — no pyproject.toml changes.

Verified locally: task security now passes (bandit: no issues, pip-audit: no known vulnerabilities).

🤖 Generated with Claude Code

@lorr1 @claude
fix: bump idna, urllib3, pip to resolve pip-audit CVEs
3baca1f 
task security (pip-audit) was failing on main with 5 known
vulnerabilities across three transitive deps:

- idna 3.11 -> 3.17    (CVE-2026-45409)
- urllib3 2.6.3 -> 2.7.0 (PYSEC-2026-141, PYSEC-2026-142)
- pip 26.0.1 -> 26.1.2  (CVE-2026-3219, CVE-2026-6357)

pip is pulled in transitively via pip-audit -> pip-api. All three are
lock-only bumps (no pyproject changes). bandit and pip-audit now pass clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@lorr1 lorr1 merged commit a033ba0 into main Jun 1, 2026
1 check passed
@lorr1 lorr1 deleted the fix/dependency-cves branch June 1, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lorr1