Skip to content

security(deps): consolidate remediation grype/cargo-audit vulnerabilities across npm, python, rust, and go #667

Description

@katriendg

Summary

The grype/syft scan on PR #664 (plus cargo audit) flagged vulnerabilities across the npm, python, rust-crate, and go-module ecosystems. This issue tracks remediating each finding and resolving the outstanding Dependabot decision for opencv-python / numpy in the ROS2 connector.

Most findings are transitive and resolve via lockfile regeneration or scoped overrides/pins. A few require direct edits (507 OTel API port, opencv-python removal).

Vulnerabilities

Package Installed Fixed In Ecosystem Advisory Severity
lxml-html-clean 0.4.4 0.4.5 python GHSA-4jhm-jv67-739f High
http-proxy-middleware 2.0.9 2.0.10 npm GHSA-64mm-vxmg-q3vj Medium
uuid (8.3.2 / 9.0.1 / 11.1.0) 11.1.1 npm GHSA-w5hq-g745-h8pq Medium
js-yaml 3.14.2 3.15.0 npm GHSA-h67p-54hq-rp68 Medium
aiohttp 3.13.5 3.14.1 python multiple Medium/Low
opentelemetry_sdk 0.26.0 0.32.1 rust-crate GHSA-w9wp-h8wv-79jx Medium
crossbeam-epoch 0.9.18 0.9.20 rust-crate RUSTSEC-2026-0204 fails cargo-audit
golang.org/x/crypto v0.52.0 none go-module GO-2026-5932 unreachable

Dependabot decision: numpy 2.5.0→2.5.1 (safe patch, recompile only); opencv-python 4.13.0.92→5.0.0.93 offered but the package is unused in 506 → remove instead of adopting the major bump.

Remediation Plan

npm (scoped overrides + lockfile regen)

  • docs/docusaurus/package.json: add overrides http-proxy-middleware@^2.0.10 and js-yaml@^3^3.15.0 (scope to 3.x tree); npm install.
  • src/500-application/516-chat-with-your-factory/services/chat-with-your-factory/package.json: add scoped override uuid@^11^11.1.1; validate whether 8.x/9.x copies still flag before considering a blanket override or parent bumps.

python (edit .in, recompile .txt, Python 3.12)

  • aiohttp: pin aiohttp>=3.14.1 in requirements.in and .github/requirements/checkov.in, recompile both.
  • lxml-html-clean: add lxml-html-clean>=0.4.5 to src/500-application/510-onvif-connector/services/camera-dashboard/requirements.in, recompile.
  • numpy: recompile 506-ros2-connector requirements.base.txt (+ root requirements.txt); source >=2.5.0 already allows 2.5.1.
  • opencv-python: remove line 10 of src/500-application/506-ros2-connector/services/requirements.base.in (unused) and recompile.

rust

  • 507-ai-inference: bump tracing-opentelemetry 0.27→0.33, port OTel setup to 0.32 API (reference 501/504), also thiserror 1→2, rand 0.8→0.9; regenerate Cargo.lock.
  • crossbeam-epoch: cargo update -p crossbeam-epoch --precise 0.9.20 in each affected crate dir (511/operators/map; 507 ai-edge-inference; 507 ai-edge-inference-crate; 507 no-features-test).

go

  • GO-2026-5932: no fix exists; deprecated openpgp subpackage is unreachable. Verify with govulncheck ./... per module; add a justified osv-scanner.toml allowlist entry only if the SCA gate flags at module level.

Acceptance Criteria

  • All npm findings resolved; npm ci succeeds in both projects.
  • aiohttp ≥ 3.14.1 and lxml-html-clean ≥ 0.4.5 in recompiled requirements.txt files.
  • numpy 2.5.1 picked up; opencv-python removed from 506.
  • 507 builds on tracing-opentelemetry 0.33 with OTel 0.32.1; tests pass.
  • cargo audit --deny warnings passes in all affected crate dirs (crossbeam-epoch 0.9.20).
  • govulncheck confirms GO-2026-5932 non-reachable; suppression added only if required.
  • Grype scan passes; any obsolete .grype.yaml ignore rules removed.

References

Metadata

Metadata

Assignees

Labels

dependenciesDependency updatessecuritySecurity-related changes or concerns

Type

Fields

No fields configured for Task.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions