Skip to content

fix(deps): patch 7 CVEs in yt-dlp and python-multipart#68

Merged
windoze95 merged 1 commit into
mainfrom
fix/dep-audit-cves
Jun 27, 2026
Merged

fix(deps): patch 7 CVEs in yt-dlp and python-multipart#68
windoze95 merged 1 commit into
mainfrom
fix/dep-audit-cves

Conversation

@windoze95

Copy link
Copy Markdown
Owner

Standalone infra fix (kept separate from feature PRs). pip-audit reports 7 known vulnerabilities in two pinned dependencies on main — newly disclosed since the pins were last set, so CI's Dependency Audit now fails on every PR.

Package From To Advisories
yt-dlp 2026.2.21 2026.6.9 CVE-2026-50019, CVE-2026-50023, CVE-2026-50574, GHSA-69qj-pvh9-c5wg
python-multipart 0.0.27 0.0.32 CVE-2026-53538, CVE-2026-53539, CVE-2026-53540

Why these versions

  • yt-dlp 2026.6.9 is the advisory fix version and the current latest, which also clears the non-blocking "yt-dlp Version Check" warning.
  • python-multipart 0.0.32 covers all three CVEs; fastapi 0.135.1 only requires >=0.0.18, so it's compatible.

Verification (local)

  • pip-audit -r requirements.txtNo known vulnerabilities found
  • pytest -q against the bumped versions → 80 passed

Supersedes the partial dependabot bump #48 (yt-dlp 2026.3.17, which is older than the 2026.6.9 fix).

🤖 Generated with Claude Code

https://claude.ai/code/session_01RXMKM1rDWn8wNh93MMUtxY

pip-audit flags 7 known vulnerabilities in two pinned deps on main:
- yt-dlp 2026.2.21 -> 2026.6.9 (CVE-2026-50019/50023/50574, GHSA-69qj-pvh9-c5wg)
- python-multipart 0.0.27 -> 0.0.32 (CVE-2026-53538/53539/53540)

Both bumps are API-compatible (fastapi only requires python-multipart>=0.0.18);
all 80 tests pass and `pip-audit -r requirements.txt` now reports no known
vulnerabilities. yt-dlp is pinned to the latest release, clearing the
version-check warning as well.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RXMKM1rDWn8wNh93MMUtxY
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@windoze95 windoze95 merged commit 960eec2 into main Jun 27, 2026
5 checks passed
@windoze95 windoze95 deleted the fix/dep-audit-cves branch June 27, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant