chore: resolve open dependabot security alerts#389
chore: resolve open dependabot security alerts#389jonathannorris wants to merge 1 commit intomainfrom
Conversation
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #389 +/- ##
==========================================
+ Coverage 90.16% 96.20% +6.04%
==========================================
Files 1 47 +46
Lines 122 1741 +1619
==========================================
+ Hits 110 1675 +1565
- Misses 12 66 +54 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the mako dependency to version 1.3.12 in pyproject.toml and uv.lock to address a security vulnerability. Feedback indicates that several unrelated version bumps for openfeature packages were included in the lockfile, which violates the project's policy against manual version updates and introduces unnecessary risk to a security-focused change.
| [[package]] | ||
| name = "openfeature-flagd-api" | ||
| version = "0.1.0" | ||
| version = "1.0.0" |
There was a problem hiding this comment.
This version bump for openfeature-flagd-api (0.1.0 -> 1.0.0) appears unrelated to the mako security fix. Including major version changes in a security chore PR is risky and out of scope. Please ensure the lockfile only contains the intended mako update and any strictly necessary transitive updates.
version = "0.1.0"
References
- Do not manually update the version in pyproject.toml or the changelog, as this is handled automatically.
| [[package]] | ||
| name = "openfeature-flagd-core" | ||
| version = "0.1.0" | ||
| version = "1.0.0" |
There was a problem hiding this comment.
This version bump for openfeature-flagd-core (0.1.0 -> 1.0.0) appears unrelated to the mako security fix. Including major version changes in a security chore PR is risky and out of scope.
version = "0.1.0"
References
- Do not manually update the version in pyproject.toml or the changelog, as this is handled automatically.
| [[package]] | ||
| name = "openfeature-provider-flagd" | ||
| version = "0.4.0" | ||
| version = "0.4.1" |
There was a problem hiding this comment.
This version bump for openfeature-provider-flagd (0.4.0 -> 0.4.1) appears unrelated to the mako security fix.
version = "0.4.0"
References
- Do not manually update the version in pyproject.toml or the changelog, as this is handled automatically.
| [[package]] | ||
| name = "openfeature-provider-ofrep" | ||
| version = "0.2.0" | ||
| version = "0.3.0" |
There was a problem hiding this comment.
This version bump for openfeature-provider-ofrep (0.2.0 -> 0.3.0) appears unrelated to the mako security fix.
version = "0.2.0"
References
- Do not manually update the version in pyproject.toml or the changelog, as this is handled automatically.
| [tool.uv] | ||
| required-version = ">=0.10.0" | ||
| package = false | ||
| constraint-dependencies = [ |
There was a problem hiding this comment.
I think this is not needed, a normal uv sync update should be enough. There is also a specialized command to only update a single package
There was a problem hiding this comment.
yea, good call — we shouldn't be adding constraint-dependencies here. will update to use uv lock --upgrade-package mako instead and drop that pyproject.toml change.
2 participants
Summary
makoto>=1.3.12via aconstraint-dependenciesentry in the rootpyproject.tomlto resolve CVE-2026-44307 (high severity, path traversal via backslash URI on Windows inTemplateLookup)uv.lockwithmako1.3.11 -> 1.3.12Fixes Dependabot alert #30.