Skip to content

fix(deps): remediate remaining Dependabot security alerts (docs + dev tooling)#229

Merged
pontino merged 1 commit into
mainfrom
security/bump-vuln-deps
Jun 3, 2026
Merged

fix(deps): remediate remaining Dependabot security alerts (docs + dev tooling)#229
pontino merged 1 commit into
mainfrom
security/bump-vuln-deps

Conversation

@pontino

@pontino pontino commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

Summary

Clears the 8 remaining open Dependabot security alerts. All are in non-shipped surfaces (docs-site build tooling + SDK dev/test tooling) — none affect the published eggai runtime. The shipped-SDK alerts were already resolved by the recent fastmcp/authlib/faststream merges (#228, #227, #210).

docs/poetry.lock — 7 alerts (transitive mkdocs deps)

Package Before → After Alerts
urllib3 2.6.2 → 2.7.0 GHSA-qccp-gfcp-xxvc (high), GHSA-mf9v-mfxr-j63j (high), GHSA-38jv-5279-wg99 (high)
requests 2.32.5 → 2.34.2 GHSA-gc5v-m9x4-r6x2 (med)
pymdown-extensions 10.19.1 → 10.21.3 GHSA-62q4-447f-wv8h (med)
idna 3.11 → 3.18 GHSA-65pc-fj4g-8rjx (med)
Pygments 2.19.2 → 2.20.0 GHSA-5239-wwwm-4pmq (low)

sdk — 1 alert (dev/test only)

  • pytest ^8.3.4^9.0.0 (9.0.3) — clears GHSA-6w46-j5rx-g56g (insecure tmpdir handling).
  • pytest-asyncio ^0.24>=1.0,<2 (1.4.0) — required for pytest 9 compatibility.

Validation

  • poetry check --lock consistent for both manifests.
  • SDK suite under pytest 9.0.3 / pytest-asyncio 1.4.0: 12 passed, 40 skipped (kafka/redis integration auto-skip without brokers — identical to CI). No collection/runtime errors.
  • No runtime/shipped-package impact: docs deps are build-only; pytest is dev-only.

fix(deps): remediate Dependabot security alerts in docs + dev tooling
11965ff 
docs/poetry.lock: bump transitive urllib3 2.6.2->2.7.0, requests 2.32.5->2.34.2,
idna 3.11->3.18, pygments 2.19.2->2.20.0, pymdown-extensions 10.19.1->10.21.3
(clears GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j, GHSA-38jv-5279-wg99,
GHSA-gc5v-m9x4-r6x2, GHSA-65pc-fj4g-8rjx, GHSA-62q4-447f-wv8h, GHSA-5239-wwwm-4pmq).

sdk: bump pytest ^8.3.4->^9.0.0 (9.0.3) + pytest-asyncio ^0.24->>=1.0,<2 (1.4.0)
to clear GHSA-6w46-j5rx-g56g (tmpdir handling). Dev/test-only. Suite: 12 passed,
40 skipped (kafka/redis integration auto-skip, same as CI).
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

QualOps Code Quality Analysis

Status: ✅ PASSED - No issues found

Summary

  • Total Issues: 0
  • Critical: 0 🔴
  • High: 0 🟠
  • Medium: 0 🟡
  • Low: 0 🟢
  • Files Analyzed: 0

No issues found in the analyzed code.

📊 Full Report

View detailed report

Powered by QualOps

@pontino pontino merged commit b044ca9 into main Jun 3, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pontino