Bump dependencies to remediate CVEs (aiohttp, starlette, pyjwt, urllib3, python-dotenv, python-multipart)#932
Open
fabianvf wants to merge 1 commit into
Open
Conversation
…b3, python-dotenv, python-multipart) Raise security floors in kai_mcp_solution_server for the CVEs from JIRA_TICKETS.md that actually affect our dependency tree: - aiohttp 3.13.3 -> >=3.14.0 (RCE via CookieJar.load on untrusted input) - starlette 0.51.0 -> >=1.3.1 (malformed Host header bypass; urlencoded form limits ignored) - python-multipart 0.0.21 -> >=0.0.27 (DoS via excessive multipart headers) - python-dotenv 1.2.1 -> >=1.2.2 (arbitrary file overwrite via symlink) - pyjwt 2.10.1 -> >=2.13.0 (auth bypass via forged JWT HMAC/JWK confusion) - urllib3 2.6.3 -> >=2.7.0 (decompression DoS; header leak on cross-origin redirect) Non-applicable ticket entries (Jupyter*, vLLM, mistune, joserfc, OpenTelemetry Java) are not present in any dependency tree; no action. uv.lock and requirements.txt regenerated (requirements.txt materialized on Linux to match CI's verify-requirements-txt check). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR raises minimum/pinned versions for several dependencies (urllib3, aiohttp, python-dotenv, python-multipart, pyjwt, starlette) in ChangesDependency version updates
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates the CVEs from
JIRA_TICKETS.mdthat actually affectkai_mcp_solution_server's dependency tree by raising security floors to the fixed releases. Most tickets in the list (all Jupyter/JupyterLab/nbconvert, vLLM, mistune, joserfc, and OpenTelemetry Java) do not apply — those packages are absent from every lockfile (we use OpenTelemetry for Go and Python only).CookieJar.load()on untrusted inputrequest.form()urlencoded limits ignored (DoS)Floors are pinned in
pyproject.tomlfollowing the repo's existing convention (zipp/pyasn1/urllib3are already listed as transitive security floors).uv.lockandrequirements.txtare regenerated;requirements.txtwas materialized on Linux to match theverify-requirements-txtCI check.Testing
run_mypy.sh(CI type check) passes.test_mcp_client_endpointsandtest_tool_metadatapass on the new deps — confirming thestarlette0→1 major bump serves correctly over the real stdio/ASGI path.test_solution_server_1fails with a pre-existing, timing-relatedIndexError(empty hint content) that reproduces identically on the untouched baseline, i.e. it is not caused by these bumps.🤖 Generated with Claude Code
Summary by CodeRabbit