Skip to content

fix(deps): upgrade vulnerable transitive dependencies [security]#562

Closed
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps
Closed

fix(deps): upgrade vulnerable transitive dependencies [security]#562
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps

Conversation

@lawrence-u10d
Copy link
Copy Markdown
Contributor

@lawrence-u10d lawrence-u10d commented Apr 3, 2026
edited by cursor bot
Loading

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package From To Severity CVE
cryptography 46.0.4 46.0.6 Low CVE-2026-34073
cryptography 46.0.4 46.0.5 High CVE-2026-26007
deepdiff 8.6.1 8.6.2 High CVE-2026-33155
nltk 3.9.2 3.9.3 Critical CVE-2025-14009
nltk 3.9.2 3.9.4 Medium CVE-2026-33230
onnx 1.20.1 1.21.0 High CVE-2026-34445
onnx 1.20.1 1.21.0 Medium CVE-2026-34446
onnx 1.20.1 1.21.0 Medium CVE-2026-34447
onnx 1.20.1 1.21.0 High GHSA-q56x-g2fj-4rj6
pillow 12.1.0 12.1.1 High CVE-2026-25990
pyasn1 0.6.2 0.6.3 High CVE-2026-30922
pygments 2.19.2 2.20.0 Low CVE-2026-4539
pypdf 6.6.2 6.7.2 Low CVE-2026-27628
pypdf 6.6.2 6.9.2 Medium CVE-2026-33699
pypdf 6.6.2 6.7.1 Medium CVE-2026-27024
pypdf 6.6.2 6.7.5 Medium CVE-2026-28804
pypdf 6.6.2 6.7.1 Medium CVE-2026-27026
pypdf 6.6.2 6.7.4 Medium CVE-2026-28351
pypdf 6.6.2 6.8.0 Medium CVE-2026-31826
pypdf 6.6.2 6.9.1 Medium CVE-2026-33123
pypdf 6.6.2 6.7.1 Medium CVE-2026-27025
pypdf 6.6.2 6.7.3 Medium CVE-2026-27888
requests 2.32.5 2.33.0 Medium CVE-2026-25645
starlette 0.41.2 0.47.2 Medium CVE-2025-54121
starlette 0.41.2 0.49.1 High CVE-2025-62727

What this PR does

  1. Scans all uv.lock files with grype for known CVEs
  2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
  3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

Note

Low Risk
Changes are limited to a patch version bump and changelog entry; functional behavior should be unchanged aside from whatever comes from updated locked transitive dependencies.

Overview
Bumps the package version to 0.1.2 and documents a security release in CHANGELOG.md for upgrading vulnerable transitive dependencies.

Written by Cursor Bugbot for commit 8a463fa. This will update automatically on new commits. Configure here.

@utic-renovate
fix(deps): upgrade vulnerable transitive dependencies [security]
8a463fa 
Packages upgraded: cryptography deepdiff nltk onnx pillow pyasn1 pygments pypdf requests starlette

Automated by lockfile-security-scan workflow.
@lawrence-u10d lawrence-u10d added dependencies Pull requests that update a dependency file security labels Apr 3, 2026
@lawrence-u10d
Copy link
Copy Markdown
Contributor Author

lawrence-u10d commented Apr 3, 2026

Closing: lockfile was rewritten with private index URLs. Will re-run with fix.

@lawrence-u10d lawrence-u10d deleted the security/lockfile-transitive-deps branch April 3, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lawrence-u10d