chore(deps): pin idna>=3.15 to clear CVE-2026-45409#87
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a3846371ec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| limits[redis]>=5.8.0 | ||
| python-dotenv>=1.2.2,<2 | ||
| # Transitive (via httpx); pinned to clear CVE-2026-45409 | ||
| idna>=3.15,<4 |
There was a problem hiding this comment.
The new idna>=3.15,<4 constraint in requirements.txt is not applied to the pinned lockfile, so CI’s dependency audit still reads idna==3.11 (.github/workflows/ci.yml runs pip-audit -r requirements.lock) and the Docker image still installs the vulnerable version from requirements.lock. In other words, this change doesn’t actually remediate the CVE in the audited/production dependency set until requirements.lock is regenerated and committed.
Useful? React with 👍 / 👎.
idna 3.11 (pulled in transitively via httpx) is flagged by pip-audit as CVE-2026-45409 (fixed in 3.15), failing the required `security` check on all PRs. The CI audits requirements.lock, so bump the pin there to 3.16; also add an idna>=3.15,<4 floor to requirements.txt so future lockfile regens stay clear. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bk86a
force-pushed
the
deps/pin-idna-cve-2026-45409
branch
from
a384637 to
ad852a0
Compare
Bumps __version__ to 0.19.2 and folds the [Unreleased] CHANGELOG block into a dated [0.19.2] release. Maintenance release covering the four Dependabot/security bumps merged since 0.19.1: idna 3.16 (#87, clears CVE-2026-45409), uvicorn >=0.47.0 (#86), pydantic-settings 2.14.1 (#84), and ruff 0.15.13 (#85, dev). No app-code or API changes. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
What
Pin
idna>=3.15,<4inrequirements.txt.Why
idna 3.11is pulled in transitively (viahttpx) and is flagged bypip-auditas CVE-2026-45409 (fixed in 3.15). Becausesecurityis a required status check, this currently fails CI on every open PR (e.g. #85, #86). Dependabot won't open a PR for it since it's an undeclared transitive dependency, so we pin it directly.🤖 Generated with Claude Code