Skip to content

Bump dependencies to remediate CVEs (aiohttp, starlette, pyjwt, urllib3, python-dotenv, python-multipart)#932

Open
fabianvf wants to merge 1 commit into
konveyor:mainfrom
fabianvf:cve-remediation-deps
Open

Bump dependencies to remediate CVEs (aiohttp, starlette, pyjwt, urllib3, python-dotenv, python-multipart)#932
fabianvf wants to merge 1 commit into
konveyor:mainfrom
fabianvf:cve-remediation-deps

Conversation

@fabianvf

@fabianvf fabianvf commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates the CVEs from JIRA_TICKETS.md that actually affect kai_mcp_solution_server's dependency tree by raising security floors to the fixed releases. Most tickets in the list (all Jupyter/JupyterLab/nbconvert, vLLM, mistune, joserfc, and OpenTelemetry Java) do not apply — those packages are absent from every lockfile (we use OpenTelemetry for Go and Python only).

Package Before → After CVE
aiohttp 3.13.3 → ≥3.14.0 RCE via CookieJar.load() on untrusted input
starlette 0.51.0 → ≥1.3.1 malformed Host-header restriction bypass; request.form() urlencoded limits ignored (DoS)
python-multipart 0.0.21 → ≥0.0.27 DoS via excessive multipart part headers
python-dotenv 1.2.1 → ≥1.2.2 arbitrary file overwrite via symlink following
pyjwt 2.10.1 → ≥2.13.0 auth bypass via forged JWT (HMAC/JWK confusion)
urllib3 2.6.3 → ≥2.7.0 decompression DoS; sensitive-header leak on cross-origin redirect

Floors are pinned in pyproject.toml following the repo's existing convention (zipp/pyasn1/urllib3 are already listed as transitive security floors). uv.lock and requirements.txt are regenerated; requirements.txt was materialized on Linux to match the verify-requirements-txt CI check.

Testing

  • run_mypy.sh (CI type check) passes.
  • Integration suite run in a CI-equivalent Linux env: test_mcp_client_endpoints and test_tool_metadata pass on the new deps — confirming the starlette 0→1 major bump serves correctly over the real stdio/ASGI path.
  • test_solution_server_1 fails with a pre-existing, timing-related IndexError (empty hint content) that reproduces identically on the untouched baseline, i.e. it is not caused by these bumps.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated several Python dependency minimums and pins.
    • Included newer versions of networking, authentication, and web framework packages.
    • These updates help keep the app aligned with current supported releases and improve stability/security.

…b3, python-dotenv, python-multipart)

Raise security floors in kai_mcp_solution_server for the CVEs from
JIRA_TICKETS.md that actually affect our dependency tree:

- aiohttp        3.13.3 -> >=3.14.0  (RCE via CookieJar.load on untrusted input)
- starlette      0.51.0 -> >=1.3.1   (malformed Host header bypass; urlencoded form limits ignored)
- python-multipart 0.0.21 -> >=0.0.27 (DoS via excessive multipart headers)
- python-dotenv  1.2.1  -> >=1.2.2   (arbitrary file overwrite via symlink)
- pyjwt          2.10.1 -> >=2.13.0  (auth bypass via forged JWT HMAC/JWK confusion)
- urllib3        2.6.3  -> >=2.7.0   (decompression DoS; header leak on cross-origin redirect)

Non-applicable ticket entries (Jupyter*, vLLM, mistune, joserfc,
OpenTelemetry Java) are not present in any dependency tree; no action.

uv.lock and requirements.txt regenerated (requirements.txt materialized
on Linux to match CI's verify-requirements-txt check).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4adb6a0e-37d0-4f3d-b6cd-be08c1fcf761

📥 Commits

Reviewing files that changed from the base of the PR and between 29ae739 and 6d4f468.

⛔ Files ignored due to path filters (1)
  • kai_mcp_solution_server/uv.lock is excluded by !**/*.lock
📒 Files selected for processing (2)
  • kai_mcp_solution_server/pyproject.toml
  • kai_mcp_solution_server/requirements.txt

📝 Walkthrough

Walkthrough

This PR raises minimum/pinned versions for several dependencies (urllib3, aiohttp, python-dotenv, python-multipart, pyjwt, starlette) in pyproject.toml and requirements.txt, adding a "security floors" comment for transitive dependency constraints.

Changes

Dependency version updates

Layer / File(s) Summary
Security floor constraints
kai_mcp_solution_server/pyproject.toml
Raises urllib3 minimum to >=2.7.0 and adds new minimum-version constraints for aiohttp, python-dotenv, python-multipart, pyjwt, and starlette, with a "security floors" comment.
Pinned version bumps
kai_mcp_solution_server/requirements.txt
Bumps pinned versions: aiohttp (3.13.3 → 3.14.1), pyjwt (2.10.1 → 2.13.0), python-dotenv (1.2.1 → 1.2.2), python-multipart (0.0.21 → 0.0.32), starlette (0.51.0 → 1.3.1), and urllib3 (2.6.3 → 2.7.0).

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: dependency bumps made to remediate CVEs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant