Skip to content

Bump dependency versions to fix 13 security vulnerabilities#909

Open
ianhelle wants to merge 4 commits into
mainfrom
fix/security-dep-bumps
Open

Bump dependency versions to fix 13 security vulnerabilities#909
ianhelle wants to merge 4 commits into
mainfrom
fix/security-dep-bumps

Conversation

@ianhelle

@ianhelle ianhelle commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps minimum versions for 13 packages flagged by Component Governance with known CVEs.

Direct dependencies updated

Package Old Min New Min Key CVE(s)
azure-core 1.24.0 1.38.0 CVE-2026-21226 (RCE via deserialization)
cryptography 43.0.1 46.0.7 CVE-2026-26007, CVE-2026-34073, CVE-2026-39892
jinja2 3.1.5 3.1.6 CVE-2024-56326, CVE-2024-56201, CVE-2025-27516
lxml 4.6.5 6.1.1 CVE-2026-41066 (XXE), CVE-2025-7424, CVE-2025-11731
pyjwt 2.3.0 2.13.0 CVE-2026-32597 + 5 others
urllib3 1.23 2.7.0 CVE-2025-50181/50182, CVE-2025-66418/66471

Transitive dependency floor pins added

Package Min Version Via Key CVE(s)
aiohttp 3.14.0 geoip2 CVE-2026-34993 (RCE), CVE-2026-47265
h11 0.16.0 httpx CVE-2025-43859 (request smuggling)
idna 3.15 various CVE-2026-45409 (DoS)
jaraco.context 6.1.0 keyring CVE-2026-23949 (Zip Slip)
Pillow 12.2.0 bokeh CVE-2026-25990 + 4 others
tornado 6.5.5 bokeh CVE-2024-52804 + 3 others
filelock 3.20.3 dev CVE-2025-68146 (TOCTOU race)

Files changed


  • equirements.txt\ - core install deps

  • equirements-all.txt\ - all extras deps
  • \conda/conda-reqs.txt\ - conda equivalent
  • \conda/conda-reqs-dev.txt\ - conda dev deps
  • \docs/requirements.txt\ - docs build deps

Supersedes

This was referenced Jun 4, 2026
Closed
Closed
@ianhelle
Bump dependency versions to fix security vulnerabilities
83afaf3 
Address 13 packages flagged by Component Governance with known CVEs:

Direct dependencies:
- azure-core >=1.38.0 (CVE-2026-21226 - RCE via deserialization)
- cryptography >=46.0.7 (CVE-2026-26007, CVE-2026-34073, CVE-2026-39892)
- jinja2 >=3.1.6 (CVE-2024-56326, CVE-2024-56201, CVE-2025-27516)
- lxml >=6.1.1 (CVE-2026-41066 XXE, CVE-2025-7424, CVE-2025-11731)
- pyjwt >=2.13.0 (CVE-2026-32597 + 5 others)
- urllib3 >=2.7.0 (CVE-2025-50181/50182, CVE-2025-66418/66471)

Transitive dependencies (security floor pins):
- aiohttp >=3.14.0 (CVE-2026-34993 RCE, CVE-2026-47265)
- h11 >=0.16.0 (CVE-2025-43859 request smuggling)
- idna >=3.15 (CVE-2026-45409 DoS)
- jaraco.context >=6.1.0 (CVE-2026-23949 Zip Slip)
- Pillow >=12.2.0 (CVE-2026-25990 + 4 others)
- tornado >=6.5.5 (CVE-2024-52804 + 3 others)
- filelock >=3.20.3 (CVE-2025-68146 TOCTOU race)

Supersedes dependabot PRs #905 (cryptography) and #906 (jinja2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@ianhelle ianhelle force-pushed the fix/security-dep-bumps branch from 933e3b5 to 83afaf3 Compare June 4, 2026 20:43
@ianhelle ianhelle requested review from FlorianBracq and Copilot June 5, 2026 19:55
Copilot AI reviewed Jun 5, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates MSTICPy’s pip and conda dependency floors to remediate security vulnerabilities flagged by Component Governance by bumping several direct dependencies and adding minimum pins for vulnerable transitives.

Changes:

  • Bumped minimum versions for key direct dependencies (e.g., azure-core, cryptography, jinja2, lxml, pyjwt, urllib3).
  • Added explicit minimum pins for vulnerable transitive dependencies (e.g., aiohttp, h11, idna, jaraco.context, Pillow, tornado) to prevent backsliding via indirect resolution.
  • Updated docs and conda/dev requirement sets to reflect newer secure baselines.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
requirements.txt Raises core install dependency floors and adds transitive minimum pins for security fixes.
requirements-all.txt Updates the “all extras” dependency set and adds transitive minimum pins (but currently has inconsistencies).
docs/requirements.txt Adjusts docs build requirements, including security-related bumps (e.g., cryptography, jinja2, httpx).
conda/conda-reqs.txt Mirrors core dependency floor bumps for conda installs and adds transitive minimum pins.
conda/conda-reqs-dev.txt Updates dev-time dependency floors (e.g., aiohttp, filelock) for security remediation.

Comment thread requirements-all.txt Outdated
@ianhelle
Potential fix for pull request finding
bb02383 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@ianhelle

ianhelle commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

@copilot resolve the merge conflicts in this pull request

Resolved the merge conflicts by merging origin/main and committing the conflict fix in 3c02785.

FlorianBracq
FlorianBracq requested changes Jun 6, 2026
View reviewed changes

@FlorianBracq FlorianBracq left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small inconsistencies in version specifiers for jinja. Apart from that, all good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@FlorianBracq FlorianBracq FlorianBracq requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ianhelle @FlorianBracq