Skip to content

Fix Dependabot security alerts#4

Merged
norMNfan merged 1 commit into
mainfrom
fix/dependabot-security-alerts
Apr 22, 2026
Merged

Fix Dependabot security alerts#4
norMNfan merged 1 commit into
mainfrom
fix/dependabot-security-alerts

Conversation

@norMNfan

Copy link
Copy Markdown
Owner

Summary

  • Bump Flask 2.3.3 → >=3.1.3 (Vary: Cookie header not set correctly)
  • Bump cryptography 44.0.1 → >=46.0.6 (DNS constraint enforcement + subgroup attack on SECT curves)
  • Bump PyJWT 2.8.0 → >=2.12.0 (accepts unknown crit header extensions)
  • Add pnpm.overrides in frontend/package.json for transitive deps:
    • vite>=6.4.2 (path traversal in optimized deps + arbitrary file read via WebSocket)
    • rollup>=4.59.0 (arbitrary file write via path traversal)
    • yaml>=2.8.3 (stack overflow via deeply nested collections)
    • picomatch>=4.0.4 (ReDoS via extglob quantifiers + method injection)

Test plan

  • Verify backend installs cleanly with updated requirements.txt
  • Verify pnpm install resolves overridden versions in frontend

Note: Flask 2 → 3 is a major version bump. Review Flask 3.x migration guide if the backend uses Flask directly.

🤖 Generated with Claude Code

@norMNfan norMNfan force-pushed the fix/dependabot-security-alerts branch 3 times, most recently from 6d663c5 to 9e72d4e Compare April 22, 2026 12:59
Dependency bumps:
- Flask 2.3.3 → >=3.1.3 (CVE: Vary: Cookie header issue)
- cryptography 44.0.1 → >=46.0.6 (DNS constraint + subgroup attack)
- PyJWT 2.8.0 → >=2.12.0 (accepts unknown crit header extensions)
- vite override >=6.4.2 (path traversal + arbitrary file read)
- rollup override >=4.59.0 (arbitrary file write via path traversal)
- yaml override >=2.8.3 (stack overflow via deeply nested collections)
- picomatch override >=4.0.4 (ReDoS + method injection)

Lint/format fixes:
- Use explicit re-export syntax (X as X) in all __init__.py files (F401)
- Replace wildcard imports with explicit ones in github_actions and aws_actions (F403/F405)
- Remove unused imports in aws_client.py: json, Optional, Lock, logging (F401)
- Remove unused local variables: token in github_tools.py, plan/GITHUB_TOKEN in main.py (F841)
- Remove duplicate StorageClass import in main.py (F811)
- Remove unused Any and Plan imports in schemas.py (F401)
- Apply ruff format (v0.15.11) to all backend files

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@norMNfan norMNfan force-pushed the fix/dependabot-security-alerts branch from 9e72d4e to dbf4cd3 Compare April 22, 2026 13:01
@norMNfan norMNfan merged commit 2207d32 into main Apr 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant