Skip to content

fix(deps): bump uv group and fix CI security scan infrastructure#346

Closed
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/uv/orchestrator/uv-fdfea19751
Closed

fix(deps): bump uv group and fix CI security scan infrastructure#346
dependabot[bot] wants to merge 5 commits intomainfrom
dependabot/uv/orchestrator/uv-fdfea19751

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 26, 2026
edited by JacobPEvans
Loading

Summary

  • Bump nltk 3.9.3 -> 3.9.4 (security fixes including CVE-2026-4539 JSONTaggedDecoder, Python 3.14 support)
  • Bump requests 2.32.5 -> 2.33.0 (CVE-2026-25645 security fix, PEP 517 migration)
  • Add osv-scanner.toml to acknowledge unfixable CVEs (pygments ReDoS, nltk recursion)
  • Update CI gate to use reusable workflow feature branch with ignore-vulns and config inputs

CI Infrastructure Changes

The security scanning jobs (pip-audit, OSV scanner) added in PR #341 were blocking all Python-touching PRs due to pre-existing vulnerabilities with no upstream fix. This PR adds:

  1. osv-scanner.toml — acknowledges GHSA-5239-wwwm-4pmq (pygments), GHSA-jm6w-m3j8-898g and GHSA-rf74-v2fm-23pw (nltk) as unfixable
  2. CI gate references JacobPEvans/.github#139 feature branch for ignore-vulns and config inputs
  3. TODO after merge: Merge .github PR fix: set cleanupPeriodDays to 30 (upstream default) #139, then revert ci-gate.yml refs from @fix/pip-audit-ignore-vulns to @main

Test plan

@dependabot dependabot Bot added dependencies python:uv Pull requests that update python:uv code labels Mar 26, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 26, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@JacobPEvans JacobPEvans reopened this Mar 26, 2026
@dependabot
chore(deps): bump the uv group across 1 directory with 2 updates
6147ad3 
Bumps the uv group with 2 updates in the /orchestrator directory: [nltk](https://github.com/nltk/nltk) and [requests](https://github.com/psf/requests).


Updates `nltk` from 3.9.3 to 3.9.4
- [Changelog](https://github.com/nltk/nltk/blob/develop/ChangeLog)
- [Commits](nltk/nltk@3.9.3...3.9.4)

Updates `requests` from 2.32.5 to 2.33.0
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.5...v2.33.0)

---
updated-dependencies:
- dependency-name: nltk
  dependency-version: 3.9.4
  dependency-type: indirect
  dependency-group: uv
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: indirect
  dependency-group: uv
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/uv/orchestrator/uv-fdfea19751 branch from e8a9e7a to 6147ad3 Compare March 26, 2026 14:51
@JacobPEvans JacobPEvans mentioned this pull request Mar 26, 2026
Closed
3 tasks
@JacobPEvans
fix(security): handle unfixable CVEs in CI security scans
7284eba 
Add osv-scanner.toml to acknowledge CVEs with no upstream fix:
- GHSA-5239-wwwm-4pmq (pygments ReDoS, CVE-2026-4539)
- GHSA-jm6w-m3j8-898g (nltk unbounded recursion)
- GHSA-rf74-v2fm-23pw (nltk unbounded recursion)

Update ci-gate.yml to pass ignore-vulns and config to reusable
workflows from JacobPEvans/.github feature branch.

(claude)
@JacobPEvans
ci: retrigger CI after upstream workflow fix
bb5fd0a
@JacobPEvans
ci: retrigger after pip-audit local package filter fix
e90440e
@JacobPEvans JacobPEvans changed the title chore(deps): bump the uv group across 1 directory with 2 updates fix(deps): bump uv group and fix CI security scan infrastructure Mar 26, 2026
@JacobPEvans
Merge remote-tracking branch 'origin/main' into dependabot/uv/orchest…
40e406e 
…rator/uv-fdfea19751

Resolve osv-scanner.toml add/add conflict by keeping main's version
with ignoreUntil dates.

(claude)
@JacobPEvans
Copy link
Copy Markdown
Owner

JacobPEvans commented Mar 29, 2026

Closing — ci-gate.yml points at deleted .github feature branch. Stale after .github #137, #140, #143 all merged to main.

@JacobPEvans JacobPEvans deleted the dependabot/uv/orchestrator/uv-fdfea19751 branch March 29, 2026 17:04
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 29, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JacobPEvans