Skip to content

fix: patch Dependabot vulnerabilities (2026-05-11)#19

Draft
cursor[bot] wants to merge 1 commit into
masterfrom
cursor/dependabot-patch-automation-ff71
Draft

fix: patch Dependabot vulnerabilities (2026-05-11)#19
cursor[bot] wants to merge 1 commit into
masterfrom
cursor/dependabot-patch-automation-ff71

Conversation

@cursor
Copy link
Copy Markdown

@cursor cursor Bot commented May 11, 2026

Summary

Automated security patch for graphene-django-optimizer — addresses vulnerabilities found via pip-audit across dev-requirements.txt and dev-env-requirements.txt.

Vulnerabilities Patched

CVE / ID Package Old Version New Version Severity
PYSEC-2023-100 django 3.2.19 4.2.30 High
PYSEC-2023-222 django 3.2.19 4.2.30 High
PYSEC-2023-225 django 3.2.19 4.2.30 High
PYSEC-2023-226 django 3.2.19 4.2.30 High
PYSEC-2024-28 django 3.2.19 4.2.30 High
PYSEC-2024-47 django 3.2.19 4.2.30 High
PYSEC-2025-47 django 3.2.19 4.2.30 High
CVE-2024-45231 django 3.2.19 4.2.30 Medium
CVE-2025-57833 django 3.2.19 4.2.30 Medium
CVE-2025-64458 django 3.2.19 4.2.30 High
CVE-2025-64459 django 3.2.19 4.2.30 High
CVE-2025-71176 pytest 4.6.3 9.0.3 Medium
PYSEC-2024-48 black 21.6b0 24.10.0 Medium
CVE-2026-32274 black 21.6b0 24.10.0 Medium

Additional Updates (compatibility)

  • graphene-django 3.0.2 → 3.2.3 (Django 4.2 compatibility)
  • graphene ~=3.0.0 → >=3.0,<4 (compatibility with graphene-django 3.2.3)
  • graphql-core ~=3.1.7 → >=3.1,<4 (compatibility with graphene 3.x)
  • pytest-django 3.5.0 → 4.12.0 (Django 4.2 + pytest 9.x compatibility)
  • pytest-cov 2.7.1 → 6.0.0 (pytest 9.x compatibility)

Test Result

passed — 36 passed, 1 skipped, 8 xfailed in 0.59s (coverage 91.92%)

Lint Result

passed — flake8 clean, no issues

Notes

  • Django 3.2 is EOL; upgrading to 4.2.30 (LTS) is required to patch several CVEs that have no 3.2.x fix
  • The graphql-core~=3.1.7[aliases] extra in dev-env-requirements.txt was invalid and removed
  • No Linear ticket found for these specific vulnerabilities in open/active state

Auto-generated by security patch automation — 2026-05-11

Open in Web View Automation 

@cursoragent @cameron-wellthy
fix: patch Dependabot vulnerabilities 2026-05-11
b9177ff 
- django 3.2.19 → 4.2.30 (CVE-2024-45231, CVE-2025-57833, CVE-2025-64458, CVE-2025-64459, PYSEC-2023-100, PYSEC-2023-222, PYSEC-2023-225, PYSEC-2023-226, PYSEC-2024-28, PYSEC-2024-47, PYSEC-2025-47)
- graphene-django 3.0.2 → 3.2.3 (Django 4.2 compatibility)
- graphene ~=3.0.0 → >=3.0,<4 (compatibility with graphene-django 3.2.3)
- graphql-core ~=3.1.7 → >=3.1,<4 (compatibility with graphene 3.x)
- pytest 4.6.3 → 9.0.3 (CVE-2025-71176)
- pytest-django 3.5.0 → 4.12.0 (Django 4.2 + pytest 9.x compatibility)
- pytest-cov 2.7.1 → 6.0.0 (pytest 9.x compatibility)
- black 21.6b0 → 24.10.0 (PYSEC-2024-48)

All 36 tests pass, lint clean.

Co-authored-by: Cameron Cooper <cameron-wellthy@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cursoragent