Skip to content

fix(security): bump dependencies to clear OSV-Scanner advisories#513

Merged
mvanwyk merged 1 commit into
mainfrom
claude/security-bump-vulnerable-deps
Jun 22, 2026
Merged

fix(security): bump dependencies to clear OSV-Scanner advisories#513
mvanwyk merged 1 commit into
mainfrom
claude/security-bump-vulnerable-deps

Conversation

@murray-ds

Copy link
Copy Markdown
Contributor

What

Upgrades the pinned versions flagged by OSV-Scanner against uv.lock to their first non-vulnerable releases:

Package From To Advisory Severity
jupyter-server 2.19.0 2.20.0 GHSA-fcw5-x6j4-ccmp Critical (9.3)
cryptography 46.0.7 49.0.0 GHSA-537c-gmf6-5ccf High (7.5)
bleach 6.1.0 6.4.0 GHSA-gj48-438w-jh9v, GHSA-8rfp-98v4-mmr6 Moderate
tornado 6.5.6 6.5.7 GHSA-pw6j-qg29-8w7f Moderate
jupyterlab 4.5.8 4.6.0 GHSA-vmhf-c436-hxj4 Moderate

Why

These are the 6 advisories that turned the Security Audit red. All affected packages are dev/docs/examples tooling (direct or transitive) — there are no runtime dependency changes. jupyterlab stays within the existing >=4.2.5,<5 constraint, so only uv.lock changed.

Verification

A local OSV-Scanner run against the updated lockfile reports No issues found (exit 0).

🤖 Generated with Claude Code


Generated by Claude Code

Upgrade the pinned versions flagged by OSV-Scanner against uv.lock to
their first non-vulnerable releases:

- jupyter-server 2.19.0 -> 2.20.0  (GHSA-fcw5-x6j4-ccmp, critical)
- cryptography   46.0.7 -> 49.0.0  (GHSA-537c-gmf6-5ccf, high)
- bleach          6.1.0 -> 6.4.0   (GHSA-gj48-438w-jh9v, GHSA-8rfp-98v4-mmr6)
- tornado         6.5.6 -> 6.5.7   (GHSA-pw6j-qg29-8w7f)
- jupyterlab      4.5.8 -> 4.6.0   (GHSA-vmhf-c436-hxj4)

All are dev/docs/examples tooling (direct or transitive); no runtime
dependency changes. A local OSV-Scanner run against the updated lockfile
reports no issues.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L6duQyAidZHdk7qHv9KTzA
@claude

claude Bot commented Jun 22, 2026

Copy link
Copy Markdown

Claude finished @murray-ds's task in 1m 45s —— View job


PR Review

  • Gather context
  • Review lockfile changes
  • Check advisory coverage
  • Post review feedback

Summary

This is a clean, targeted security fix. Only uv.lock changed (no pyproject.toml edits), and the lockfile diff looks mechanically correct — proper PyPI URLs, SHA256 hashes, and consistent metadata throughout.

Version Bumps — All Confirmed

The diff confirms all five packages from the PR table were updated:

Package From To Notes
bleach 6.1.0 6.4.0 Also drops six (Py2-compat shim) — a bonus cleanup
cryptography 46.0.7 49.0.0 Major version jump; see note below
jupyter-server 2.19.0 2.20.0 Minor bump, clean
jupyterlab 4.5.8 4.6.0 Within existing >=4.2.5,<5 constraint; setuptools dep dropped
tornado 6.5.6 6.5.7 Patch bump, clean

Two Unlisted Transitive Changes

The diff also contains two implicit changes not mentioned in the PR description. They're expected side-effects, but worth documenting:

  1. pyopenssl 26.0.0 → 26.3.0 — bumped automatically because it depends on cryptography. No new advisories introduced.

  2. jupyter-builder 1.0.2 added — new transitive dependency pulled in by jupyterlab 4.6.0, which swapped setuptools for jupyter-builder. This is a new package in the lockfile; the wheel hash and PyPI source look legitimate.

Note on cryptography 46 → 49

Jumping three major versions is worth a brief callout. The wheel ABI floor shifted from cp38-abi3 to cp39-abi3, and the win32 wheel was dropped in favour of win_amd64 only. For a dev/tooling dependency this is almost certainly fine, but if any contributor still runs Python 3.8 or uses 32-bit Windows they'll see a resolution failure. If the project's minimum supported Python is already ≥ 3.9 (which is typical in 2026), there's no action needed.

No Concerns

  • All URLs resolve to files.pythonhosted.org (official PyPI CDN)
  • SHA256 hashes are present for all sdist and wheel entries
  • No runtime dependencies changed
  • Lockfile structure is well-formed

Verdict: LGTM. The two unlisted transitive changes are expected behaviour and don't introduce risk, but adding a brief mention to the PR description would make the diff fully auditable at a glance.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mvanwyk mvanwyk merged commit 8949183 into main Jun 22, 2026
6 checks passed
@mvanwyk mvanwyk deleted the claude/security-bump-vulnerable-deps branch June 22, 2026 14:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants