fix(security): bump dependencies to clear OSV-Scanner advisories#513
Conversation
Upgrade the pinned versions flagged by OSV-Scanner against uv.lock to their first non-vulnerable releases: - jupyter-server 2.19.0 -> 2.20.0 (GHSA-fcw5-x6j4-ccmp, critical) - cryptography 46.0.7 -> 49.0.0 (GHSA-537c-gmf6-5ccf, high) - bleach 6.1.0 -> 6.4.0 (GHSA-gj48-438w-jh9v, GHSA-8rfp-98v4-mmr6) - tornado 6.5.6 -> 6.5.7 (GHSA-pw6j-qg29-8w7f) - jupyterlab 4.5.8 -> 4.6.0 (GHSA-vmhf-c436-hxj4) All are dev/docs/examples tooling (direct or transitive); no runtime dependency changes. A local OSV-Scanner run against the updated lockfile reports no issues. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA
|
Claude finished @murray-ds's task in 1m 45s —— View job PR Review
SummaryThis is a clean, targeted security fix. Only Version Bumps — All ConfirmedThe diff confirms all five packages from the PR table were updated:
Two Unlisted Transitive ChangesThe diff also contains two implicit changes not mentioned in the PR description. They're expected side-effects, but worth documenting:
Note on
|
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
What
Upgrades the pinned versions flagged by OSV-Scanner against
uv.lockto their first non-vulnerable releases:Why
These are the 6 advisories that turned the Security Audit red. All affected packages are dev/docs/examples tooling (direct or transitive) — there are no runtime dependency changes.
jupyterlabstays within the existing>=4.2.5,<5constraint, so onlyuv.lockchanged.Verification
A local OSV-Scanner run against the updated lockfile reports No issues found (exit 0).
🤖 Generated with Claude Code
Generated by Claude Code