Summary
The grype/syft scan on PR #664 (plus cargo audit) flagged vulnerabilities across the npm, python, rust-crate, and go-module ecosystems. This issue tracks remediating each finding and resolving the outstanding Dependabot decision for opencv-python / numpy in the ROS2 connector.
Most findings are transitive and resolve via lockfile regeneration or scoped overrides/pins. A few require direct edits (507 OTel API port, opencv-python removal).
Vulnerabilities
| Package |
Installed |
Fixed In |
Ecosystem |
Advisory |
Severity |
| lxml-html-clean |
0.4.4 |
0.4.5 |
python |
GHSA-4jhm-jv67-739f |
High |
| http-proxy-middleware |
2.0.9 |
2.0.10 |
npm |
GHSA-64mm-vxmg-q3vj |
Medium |
| uuid (8.3.2 / 9.0.1 / 11.1.0) |
— |
11.1.1 |
npm |
GHSA-w5hq-g745-h8pq |
Medium |
| js-yaml |
3.14.2 |
3.15.0 |
npm |
GHSA-h67p-54hq-rp68 |
Medium |
| aiohttp |
3.13.5 |
3.14.1 |
python |
multiple |
Medium/Low |
| opentelemetry_sdk |
0.26.0 |
0.32.1 |
rust-crate |
GHSA-w9wp-h8wv-79jx |
Medium |
| crossbeam-epoch |
0.9.18 |
0.9.20 |
rust-crate |
RUSTSEC-2026-0204 |
fails cargo-audit |
| golang.org/x/crypto |
v0.52.0 |
none |
go-module |
GO-2026-5932 |
unreachable |
Dependabot decision: numpy 2.5.0→2.5.1 (safe patch, recompile only); opencv-python 4.13.0.92→5.0.0.93 offered but the package is unused in 506 → remove instead of adopting the major bump.
Remediation Plan
npm (scoped overrides + lockfile regen)
docs/docusaurus/package.json: add overrides http-proxy-middleware@^2.0.10 and js-yaml@^3 → ^3.15.0 (scope to 3.x tree); npm install.
src/500-application/516-chat-with-your-factory/services/chat-with-your-factory/package.json: add scoped override uuid@^11 → ^11.1.1; validate whether 8.x/9.x copies still flag before considering a blanket override or parent bumps.
python (edit .in, recompile .txt, Python 3.12)
- aiohttp: pin
aiohttp>=3.14.1 in requirements.in and .github/requirements/checkov.in, recompile both.
- lxml-html-clean: add
lxml-html-clean>=0.4.5 to src/500-application/510-onvif-connector/services/camera-dashboard/requirements.in, recompile.
- numpy: recompile
506-ros2-connector requirements.base.txt (+ root requirements.txt); source >=2.5.0 already allows 2.5.1.
- opencv-python: remove line 10 of
src/500-application/506-ros2-connector/services/requirements.base.in (unused) and recompile.
rust
- 507-ai-inference: bump
tracing-opentelemetry 0.27→0.33, port OTel setup to 0.32 API (reference 501/504), also thiserror 1→2, rand 0.8→0.9; regenerate Cargo.lock.
- crossbeam-epoch:
cargo update -p crossbeam-epoch --precise 0.9.20 in each affected crate dir (511/operators/map; 507 ai-edge-inference; 507 ai-edge-inference-crate; 507 no-features-test).
go
- GO-2026-5932: no fix exists; deprecated
openpgp subpackage is unreachable. Verify with govulncheck ./... per module; add a justified osv-scanner.toml allowlist entry only if the SCA gate flags at module level.
Acceptance Criteria
References
Summary
The grype/syft scan on PR #664 (plus
cargo audit) flagged vulnerabilities across the npm, python, rust-crate, and go-module ecosystems. This issue tracks remediating each finding and resolving the outstanding Dependabot decision for opencv-python / numpy in the ROS2 connector.Most findings are transitive and resolve via lockfile regeneration or scoped
overrides/pins. A few require direct edits (507 OTel API port, opencv-python removal).Vulnerabilities
Dependabot decision: numpy 2.5.0→2.5.1 (safe patch, recompile only); opencv-python 4.13.0.92→5.0.0.93 offered but the package is unused in 506 → remove instead of adopting the major bump.
Remediation Plan
npm (scoped overrides + lockfile regen)
docs/docusaurus/package.json: add overrideshttp-proxy-middleware@^2.0.10andjs-yaml@^3→^3.15.0(scope to 3.x tree);npm install.src/500-application/516-chat-with-your-factory/services/chat-with-your-factory/package.json: add scoped overrideuuid@^11→^11.1.1; validate whether 8.x/9.x copies still flag before considering a blanket override or parent bumps.python (edit
.in, recompile.txt, Python 3.12)aiohttp>=3.14.1inrequirements.inand.github/requirements/checkov.in, recompile both.lxml-html-clean>=0.4.5tosrc/500-application/510-onvif-connector/services/camera-dashboard/requirements.in, recompile.506-ros2-connectorrequirements.base.txt(+ rootrequirements.txt); source>=2.5.0already allows 2.5.1.src/500-application/506-ros2-connector/services/requirements.base.in(unused) and recompile.rust
tracing-opentelemetry0.27→0.33, port OTel setup to 0.32 API (reference 501/504), alsothiserror1→2,rand0.8→0.9; regenerate Cargo.lock.cargo update -p crossbeam-epoch --precise 0.9.20in each affected crate dir (511/operators/map; 507 ai-edge-inference; 507 ai-edge-inference-crate; 507 no-features-test).go
openpgpsubpackage is unreachable. Verify withgovulncheck ./...per module; add a justifiedosv-scanner.tomlallowlist entry only if the SCA gate flags at module level.Acceptance Criteria
npm cisucceeds in both projects.requirements.txtfiles.tracing-opentelemetry0.33 with OTel 0.32.1; tests pass.cargo audit --deny warningspasses in all affected crate dirs (crossbeam-epoch 0.9.20).govulncheckconfirms GO-2026-5932 non-reachable; suppression added only if required..grype.yamlignore rules removed.References