Fix cves

[moshemorad]

No description provided.

[github-actions]

✅ Docker image ready for 7626679 (built in 2m 41s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:7626679

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:7626679
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:7626679 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:7626679
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:7626679

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:7626679

[coderabbitai]

Walkthrough

Two independent dependency updates are applied: the Dockerfile runtime stage adds the libcap2 system package, and pyproject.toml bumps urllib3 from ^2.6.3 to ^2.7.0. Both are straightforward maintenance changes with no functional impact.

Changes

Dependency Updates

Layer / File(s)	Summary
Runtime package addition Dockerfile	The Dockerfile runtime stage apt-get install command is updated to include libcap2 alongside existing runtime packages (libexpat1, libc6, libc-bin).
Python dependency version bump pyproject.toml	Poetry-managed dependency urllib3 is updated from ^2.6.3 to ^2.7.0 under [tool.poetry.dependencies].

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• robusta-dev/robusta#2035: Updates urllib3 version constraint in pyproject.toml as part of a dependency maintenance sequence.

Suggested reviewers

• naomi-robusta
• RoiGlinik

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess relevance to the changeset.	Add a description explaining which CVEs are being fixed and why the specific dependency updates and package additions address them.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix cves' is related to the changeset, which addresses CVE fixes by updating dependencies and adding security-related packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix_cves

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pyproject.toml`:
- Line 77: Add a one-line comment immediately above the dependency line urllib3
= "^2.7.0" in pyproject.toml documenting the security advisories fixed by 2.7.0:
mention the “Decompression-bomb safeguards bypassed in parts of the streaming
API” and “Sensitive headers forwarded across origins in proxied low-level
redirects” issues and include the corresponding GHSA/CVE identifiers or links to
the GitHub advisory pages (e.g., GHSA IDs or CVE numbers) so it matches the
comment pattern used for other security bumps in the file.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dff57532-745b-4a02-be25-8adc28793245

📥 Commits

Reviewing files that changed from the base of the PR and between 6c65f92 and 35584cd.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• Dockerfile
• pyproject.toml