Skip to content

fix(deps): upgrade vulnerable transitive dependencies [security]#563

Draft
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps
Draft

fix(deps): upgrade vulnerable transitive dependencies [security]#563
lawrence-u10d wants to merge 1 commit intomainfrom
security/lockfile-transitive-deps

Conversation

@lawrence-u10d
Copy link
Copy Markdown
Contributor

@lawrence-u10d lawrence-u10d commented Apr 3, 2026
edited by cursor bot
Loading

Summary

Automated scan found CVEs in transitive dependencies locked in uv.lock files.
These packages were upgraded to patched versions.

Remediated vulnerabilities

Package From To Severity CVE
cryptography 46.0.4 46.0.6 Low CVE-2026-34073
cryptography 46.0.4 46.0.5 High CVE-2026-26007
deepdiff 8.6.1 8.6.2 High CVE-2026-33155
nltk 3.9.2 3.9.3 Critical CVE-2025-14009
nltk 3.9.2 3.9.4 Medium CVE-2026-33230
onnx 1.20.1 1.21.0 High CVE-2026-34445
onnx 1.20.1 1.21.0 Medium CVE-2026-34446
onnx 1.20.1 1.21.0 Medium CVE-2026-34447
onnx 1.20.1 1.21.0 High GHSA-q56x-g2fj-4rj6
pillow 12.1.0 12.1.1 High CVE-2026-25990
pyasn1 0.6.2 0.6.3 High CVE-2026-30922
pygments 2.19.2 2.20.0 Low CVE-2026-4539
pypdf 6.6.2 6.7.2 Low CVE-2026-27628
pypdf 6.6.2 6.9.2 Medium CVE-2026-33699
pypdf 6.6.2 6.7.1 Medium CVE-2026-27024
pypdf 6.6.2 6.7.5 Medium CVE-2026-28804
pypdf 6.6.2 6.7.1 Medium CVE-2026-27026
pypdf 6.6.2 6.7.4 Medium CVE-2026-28351
pypdf 6.6.2 6.8.0 Medium CVE-2026-31826
pypdf 6.6.2 6.9.1 Medium CVE-2026-33123
pypdf 6.6.2 6.7.1 Medium CVE-2026-27025
pypdf 6.6.2 6.7.3 Medium CVE-2026-27888
requests 2.32.5 2.33.0 Medium CVE-2026-25645
starlette 0.41.2 0.47.2 Medium CVE-2025-54121
starlette 0.41.2 0.49.1 High CVE-2025-62727

What this PR does

  1. Scans all uv.lock files with grype for known CVEs
  2. Runs uv lock --upgrade-package <pkg> for each fixable vulnerability (skips major bumps)
  3. Bumps component versions (patch) and updates CHANGELOGs via version-bump

Created by lockfile-security-scan.
Targets transitive dependencies that Renovate cannot reach.

Note

Medium Risk
Primarily lockfile-driven dependency upgrades to remediate CVEs, which can still introduce runtime or compatibility regressions in document/crypto parsing libraries. Risk is limited by being patch/minor bumps with no application logic changes beyond the version bump.

Overview
Bumps the release to 0.1.2 and records a security release note for upgrading vulnerable transitive dependencies.

Updates uv.lock to pull in patched versions of key libraries (notably cryptography, onnx, pillow, pypdf, requests, nltk, deepdiff, pyasn1, pygments) and adjusts some platform markers (e.g., s390x handling) as part of the regenerated lockfile.

Written by Cursor Bugbot for commit 0271f37. This will update automatically on new commits. Configure here.

@utic-renovate
fix(deps): upgrade vulnerable transitive dependencies [security]
0271f37 
Packages upgraded: cryptography deepdiff nltk onnx pillow pyasn1 pygments pypdf requests starlette

Automated by lockfile-security-scan workflow.
@lawrence-u10d lawrence-u10d added dependencies Pull requests that update a dependency file security labels Apr 3, 2026
@lawrence-u10d lawrence-u10d marked this pull request as draft April 3, 2026 14:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lawrence-u10d