fix: update vulnerable dependencies to resolve security advisories#830
Merged
marcusburghardt merged 9 commits intocomplytime:mainfrom Apr 22, 2026
Merged
Conversation
Contributor
Author
|
e2e failure should be fixed by #822 |
marcusburghardt
force-pushed
the
fix/security-dependency-updates
branch
from
46d4311 to
614f763
Compare
marcusburghardt
force-pushed
the
fix/security-dependency-updates
branch
from
614f763 to
0ef7351
Compare
Contributor
|
@marcusburghardt This has some merge conflicts, I can review it after its fixed :). |
Contributor
Author
Working on it. : ) |
Updates nltk to 3.9.4 for Python >= 3.10 environments. This resolves multiple security advisories affecting nltk <= 3.9.2/3.9.3. Note: nltk 3.9.4 requires Python >= 3.10. For Python 3.9 environments, nltk remains at 3.9.2 due to upstream compatibility constraints. Resolves Dependabot alerts: complytime#52, complytime#71, complytime#63, complytime#62, complytime#61, complytime#60 See: GHSA-7p94-766c-hgjp See: GHSA-h8wq-7xc4-p3qx See: GHSA-469j-vmhf-r6v7 See: GHSA-jm6w-m3j8-898g See: GHSA-p423-j2cm-9vmq See: GHSA-gfwx-w7gr-fvh7 See: GHSA-rf74-v2fm-23pw Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates orjson to 3.11.8 for Python >= 3.10 environments to resolve a deep recursion vulnerability in JSON document parsing. Note: orjson 3.11.8 requires Python >= 3.10. For Python 3.9 environments, orjson remains at 3.11.5 due to upstream compatibility constraints. Resolves Dependabot alert: complytime#55 See: GHSA-hx9q-6w63-j58v Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates PyJWT from 2.10.1 to 2.12.1 to address an issue where unknown critical header extensions were incorrectly accepted. Resolves Dependabot alert: complytime#56 See: GHSA-752w-5fwx-jx9f Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates filelock to 3.29.0 for Python >= 3.10 environments to address TOCTOU race condition and symlink attack vulnerabilities during lock file creation. Note: filelock 3.29.0 requires Python >= 3.10. For Python 3.9 environments, filelock remains at 3.19.1 due to upstream constraints. Resolves Dependabot alerts: complytime#43, complytime#49 See: GHSA-w853-jp5j-5j7f See: GHSA-qmgc-5h2g-mvrw Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
fix/security-dependency-updates
branch
from
0ef7351 to
b2a722a
Compare
Contributor
Author
Done @sonupreetam . Thanks for reviewing. |
Updates PyNaCl from 1.5.0 to 1.6.2 to address an incomplete list of disallowed inputs in the underlying libsodium library. Resolves Dependabot alert: complytime#45 See: GHSA-mrfv-m5wm-5w6w Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates Pygments from 2.19.2 to 2.20.0 to address a Regular Expression Denial of Service (ReDoS) vulnerability due to inefficient regex for GUID matching. Resolves Dependabot alert: complytime#67 See: GHSA-5239-wwwm-4pmq Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates black from 25.11.0 to 26.3.1 to address an arbitrary file write vulnerability from unsanitized user input in cache file names. Note: black 26.3.1 requires Python >= 3.10. The dependency constraint is now restricted to Python >= 3.10 environments accordingly. Resolves Dependabot alert: complytime#54 See: GHSA-3936-cmfr-pm3m Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Updates pytest from 8.4.2 to 9.0.3 to address a vulnerable tmpdir handling issue. Note: pytest 9.0.3 requires Python >= 3.10. The dependency constraint is now restricted to Python >= 3.10 environments accordingly. For Python 3.9, pytest remains at 8.4.2. Resolves Dependabot alert: complytime#69 See: GHSA-6w46-j5rx-g56g Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Apply formatting changes required by the black 25.x to 26.x upgrade. Update Makefile to run black before isort and remove the explicit --lines-after-imports=2 option that conflicts with black 26's stricter blank line handling. Assisted-by: OpenCode (claude-opus-4-6) Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
fix/security-dependency-updates
branch
from
b2a722a to
f3eb17d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates 8 vulnerable dependencies to resolve 14 open Dependabot security advisories across critical, high, medium, and low severity levels.
Each dependency is updated in a separate commit for traceability. The black major version bump (25 → 26) required reformatting the codebase and adjusting the Makefile lint/format targets to resolve a conflict between black 26 and the previous isort
--lines-after-imports=2setting.Several updated packages now require Python >= 3.10. Poetry resolves this by maintaining dual entries in the lock file: Python >= 3.10 gets the patched versions, while Python < 3.10 retains the previous versions due to upstream constraints.
Dependency Updates
Remaining Unresolved
Related Issues
Review Hints
Each dependency update is in its own commit. Reviewing commit-by-commit is recommended, especially for the black upgrade and its formatting commit.
The black 26 upgrade (commit
fix: update black to 26.3.1) changespyproject.tomlandpoetry.lock. The follow-upstyle: reformat codebase with black 26.3.1commit applies the new formatting rules and updates the Makefile to run black before isort (removing the--lines-after-imports=2flag that conflicts with black 26).make lintpasses cleanly. All 168 tests pass. There is 1 pre-existing test failure intest_config_write_to_file(askip_validationtype mismatch:'false'vsFalse) that is also present onmainand is unrelated to this PR.The Trivy Source Scan failure is pre-existing on
main(Dockerfile/workflow misconfigurations) and is not introduced by this PR.Advisories resolved: GHSA-7p94-766c-hgjp, GHSA-h8wq-7xc4-p3qx, GHSA-469j-vmhf-r6v7, GHSA-jm6w-m3j8-898g, GHSA-gfwx-w7gr-fvh7, GHSA-rf74-v2fm-23pw, GHSA-hx9q-6w63-j58v, GHSA-752w-5fwx-jx9f, GHSA-3936-cmfr-pm3m, GHSA-w853-jp5j-5j7f, GHSA-qmgc-5h2g-mvrw, GHSA-mrfv-m5wm-5w6w, GHSA-6w46-j5rx-g56g, GHSA-5239-wwwm-4pmq