Skip to content

FIX: update dependencies to address Dependabot security alerts#1614

Merged
romanlutz merged 2 commits intomicrosoft:mainfrom
romanlutz:security/update-vulnerable-deps
Apr 15, 2026
Merged

FIX: update dependencies to address Dependabot security alerts#1614
romanlutz merged 2 commits intomicrosoft:mainfrom
romanlutz:security/update-vulnerable-deps

Conversation

@romanlutz
Copy link
Copy Markdown
Contributor

@romanlutz romanlutz commented Apr 15, 2026

Summary

Bumps minimum versions for packages flagged by Dependabot security alerts:

Package Old Min New Min CVE Issue
pillow >=12.1.1 >=12.2.0 CVE-2026-40192 GZIP decompression bomb in FITS files
pytest >=8.3.5 >=9.0.3 CVE-2025-71176 Insecure temp directory handling
transformers >=4.52.4 >=4.55.0 CVE-2025-14924 Deserialization of untrusted data
pyasn1 (none) >=0.6.3 CVE-2026-30922 Uncontrolled recursion in ASN.1 decoding
follow-redirects (none) >=1.15.11 Header leak Custom header leak on cross-domain redirect

Changes

  • pyproject.toml: Bumped \pillow, \pytest, \ ransformers\ minimums; added \pyasn1\ to \constraint-dependencies\
  • uv.lock: Regenerated
  • frontend/package.json: Added \ ollow-redirects\ override
  • frontend/package-lock.json: Regenerated

@romanlutz
fix: update dependencies to address security vulnerabilities
dd1e746 
Bump minimum versions for packages with known CVEs:

- pillow: >=12.1.1 -> >=12.2.0 (CVE-2026-40192, GZIP decompression bomb)
- pytest: >=8.3.5 -> >=9.0.3 (CVE-2025-71176, insecure temp directory)
- transformers: >=4.52.4 -> >=4.55.0 (CVE-2025-14924, deserialization)
- pyasn1: add >=0.6.3 constraint (CVE-2026-30922, uncontrolled recursion)
- follow-redirects: add >=1.15.11 override (custom header leak on redirect)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@romanlutz romanlutz changed the title fix: update dependencies to address Dependabot security alerts FIX: update dependencies to address Dependabot security alerts Apr 15, 2026
adrian-gavrila
adrian-gavrila reviewed Apr 15, 2026
View reviewed changes
Comment thread frontend/package.json
@romanlutz romanlutz merged commit e32369e into microsoft:main Apr 15, 2026
41 checks passed
@romanlutz romanlutz deleted the security/update-vulnerable-deps branch April 15, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adrian-gavrila adrian-gavrila adrian-gavrila approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romanlutz @adrian-gavrila