Skip to content

chore: Fix Dependabot security alerts#536

Open
Kanchan-Microsoft wants to merge 1 commit intodevfrom
feature/dependabot-security-fixes
Open

chore: Fix Dependabot security alerts#536
Kanchan-Microsoft wants to merge 1 commit intodevfrom
feature/dependabot-security-fixes

Conversation

@Kanchan-Microsoft
Copy link
Copy Markdown
Contributor

@Kanchan-Microsoft Kanchan-Microsoft commented Apr 13, 2026

Purpose

This pull request updates dependencies across the ContentProcessor, ContentProcessorAPI, ContentProcessorWorkflow, and ContentProcessorWeb projects to improve security, compatibility, and feature support. The changes include upgrading several core libraries, aligning versions between requirements and project files, and adding new dependencies to support authentication, serialization, and other features.

Python backend dependency updates:

  • Upgraded cryptography to 46.0.7 and pyjwt to 2.12.0 across all Python projects for improved security and compatibility (src/ContentProcessor/requirements.txt, src/ContentProcessorAPI/requirements.txt, src/ContentProcessorWorkflow/pyproject.toml).
  • Updated requests to 2.33.0 and pygments to 2.20.0 in both ContentProcessor and ContentProcessorAPI to ensure consistency and access to latest features and fixes (src/ContentProcessor/requirements.txt, src/ContentProcessorAPI/requirements.txt).
  • Added new dependencies such as protobuf, pyasn1, python-multipart, and authlib to support authentication, serialization, and multipart form handling (src/ContentProcessor/pyproject.toml, src/ContentProcessorAPI/pyproject.toml, src/ContentProcessorWorkflow/pyproject.toml).
  • Upgraded aiohttp and fastmcp to their latest versions in ContentProcessorWorkflow to maintain compatibility and receive latest fixes (src/ContentProcessorWorkflow/pyproject.toml).

JavaScript frontend dependency updates:

  • Bumped node-forge and postcss to newer versions for security and compatibility in package.json and pnpm overrides (src/ContentProcessorWeb/package.json.
  • Added and updated multiple pnpm overrides for libraries such as axios, lodash, yaml, webpack-dev-server, and others to ensure compatibility and resolve potential vulnerabilities (src/ContentProcessorWeb/package.json).

These updates help keep the codebase secure, up-to-date, and compatible with the latest features and dependencies.

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kanchan-Microsoft