Skip to content

chore(deps): Dependabot security updates#3

Merged
mgiovani merged 1 commit into
mainfrom
security/dependabot-20260421
Apr 21, 2026
Merged

chore(deps): Dependabot security updates#3
mgiovani merged 1 commit into
mainfrom
security/dependabot-20260421

Conversation

@mgiovani

@mgiovani mgiovani commented Apr 21, 2026

Copy link
Copy Markdown
Owner

Security Advisory Fixes

This PR upgrades packages flagged by Dependabot to patched versions. Only uv.lock was modified — no application code changed.

Advisories Addressed (4/4)

# GHSA CVE Package Old Version New Version Severity
4 GHSA-3936-cmfr-pm3m CVE-2026-32274 black 25.1.0 26.3.1 high
3 GHSA-597g-3phw-6986 CVE-2026-22702 virtualenv 20.34.0 21.2.4 medium
2 GHSA-qmgc-5h2g-mvrw CVE-2026-22701 filelock 3.19.1 3.29.0 medium
1 GHSA-w853-jp5j-5j7f CVE-2025-68146 filelock 3.19.1 3.29.0 medium

Advisory Summaries

  • black (high): Arbitrary file writes from unsanitized user input in cache file name
  • virtualenv (medium): TOCTOU Vulnerabilities in Directory Creation
  • filelock (medium, 2 alerts): TOCTOU race condition and symlink attacks during lock file creation

Verification

  • uv lock --upgrade-package <name> applied for each vulnerable package
  • uv sync completed successfully
  • uv lock --check passed

Test Notes

1 pre-existing test failure observed (ModuleNotFoundError: No module named 'skills.inject_docs'). This is unrelated to the dependency upgrades — it exists on main and is a module path configuration issue.

Auto-generated via orchestrated security sweep.

@mgiovani
chore(deps): patch Dependabot alerts (4 advisories)
1a6047e 
Upgrade vulnerable packages identified by Dependabot:
- black 25.1.0 -> 26.3.1 (GHSA-3936-cmfr-pm3m, CVE-2026-32274, high)
- virtualenv 20.34.0 -> 21.2.4 (GHSA-597g-3phw-6986, CVE-2026-22702, medium)
- filelock 3.19.1 -> 3.29.0 (GHSA-qmgc-5h2g-mvrw CVE-2026-22701, GHSA-w853-jp5j-5j7f CVE-2025-68146, medium)
@mgiovani mgiovani merged commit c3cf4e8 into main Apr 21, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mgiovani