Skip to content
This repository was archived by the owner on Mar 30, 2026. It is now read-only.

fix: mixed lockfile strategy, strict bandit validation, B303 to B324,…#7

Merged
lhoupert merged 4 commits into
mainfrom
chore--add-debug-option-for-falling-tests
Mar 29, 2026
Merged

fix: mixed lockfile strategy, strict bandit validation, B303 to B324,…#7
lhoupert merged 4 commits into
mainfrom
chore--add-debug-option-for-falling-tests

Conversation

@lhoupert
Copy link
Copy Markdown
Owner

@lhoupert lhoupert commented Mar 28, 2026

… B404

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 28, 2026
edited
Loading

Security Audit Report

View workflow run

Bandit — Static Security Analysis (Security tab)

2 issue(s) found: 1 high, 1 low

Severity Confidence File Line Issue
🔴 HIGH HIGH 08-poetry-src-both/src/auth.py 8 [B324] Use of weak MD5 hash for security. Consider usedforsecurity=False

1 low issue(s) below threshold not shown in table.

pip-audit — Dependency Vulnerabilities (Security tab)

Package Version ID Fix Versions Description
cryptography 38.0.0 PYSEC-2023-11 39.0.1 Previously, Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immut
cryptography 38.0.0 PYSEC-2023-254 41.0.6 ### Summary Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer derefer
cryptography 38.0.0 PYSEC-2023-254 41.0.6 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pe
cryptography 38.0.0 PYSEC-2024-225 42.0.4 If pkcs12.serialize_key_and_certificates is called with both: 1. A certificate whose public key did not match the pro
cryptography 38.0.0 PYSEC-2024-225 42.0.4 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in vers
cryptography 38.0.0 PYSEC-2023-11 39.0.1 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected vers
cryptography 38.0.0 GHSA-39hc-v87j-747x 38.0.3 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 CVE-2023-0286 39.0.1 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 GHSA-5cpq-8wj7-hf2v 41.0.0 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 GHSA-jm77-qphf-c4w8 41.0.3 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 CVE-2023-50782 42.0.0 A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages
cryptography 38.0.0 GHSA-v8gr-m533-ghj9 41.0.4 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 CVE-2024-0727 42.0.2 Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of
cryptography 38.0.0 GHSA-h4gh-qq45-vh27 43.0.1 pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography
cryptography 38.0.0 CVE-2026-26007 46.0.5 ## Vulnerability Summary The public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), `EllipticCurvePu
cryptography 38.0.0 CVE-2026-34073 46.0.6 ## Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within ch
idna 2.10 PYSEC-2024-60 3.7 ### Impact A specially crafted argument to the idna.encode() function could consume significant resources. This may le
idna 2.10 PYSEC-2024-60 3.7 A vulnerability was identified in the kjd/idna library, specifically within the idna.encode() function, affecting vers
requests 2.25.0 PYSEC-2023-74 2.31.0 ### Impact Since Requests v2.3.0, Requests has been vulnerable to potentially leaking Proxy-Authorization headers to
requests 2.25.0 PYSEC-2023-74 2.31.0 Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to destination s
requests 2.25.0 CVE-2024-35195 2.32.0 When using a requests.Session, if the first request to a given origin is made with verify=False, TLS certificate ver
requests 2.25.0 CVE-2024-47081 2.32.4 ### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties f
requests 2.25.0 CVE-2026-25645 2.33.0 ### Impact The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting file
urllib3 1.26.20 CVE-2025-50181 2.5.0 urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most comm
urllib3 1.26.20 CVE-2025-66418 2.6.0 ## Impact urllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., `Content-
urllib3 1.26.20 CVE-2025-66471 2.6.0 ### Impact urllib3's streaming API is
urllib3 1.26.20 CVE-2026-21441 2.6.3 ### Impact urllib3's streaming API is

27 vulnerability/vulnerabilities found (27 fixable) across 4 package(s).

Result: ❌ Blocking issues found — see details above.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 28, 2026

Security Audit Report

View workflow run

Bandit — Static Security Analysis (Security tab)

2 issue(s) found: 1 high, 1 low

Severity Confidence File Line Issue
🔴 HIGH HIGH 12-uv-flat-bandit-only/app.py 5 [B602] subprocess call with shell=True identified, security issue.

1 low issue(s) below threshold not shown in table.

Result: ❌ Blocking issues found — see details above.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 28, 2026
edited
Loading

✅ All test workflows behaved as expected

14 passed, 0 failed

Test Name Expected Actual Bandit pip-audit Result
01 requirements · flat · clean success success
02 requirements · src/ · bandit HIGH failure failure B105, B404, B602
03 requirements · src/+scripts/ · bandit HIGH + pip-audit failure failure B105, B404, B602 cryptography, idna, requests, urllib3
04 uv · flat · clean success success
05 uv · src/ · pip-audit vuln failure failure idna, requests, urllib3
06 uv · src/+scripts/ · bandit MEDIUM failure failure B324, B506
07 poetry · flat · clean success success
08 poetry · src/ · bandit MEDIUM + pip-audit failure failure B105, B324 cryptography, idna, requests, urllib3
09 pipenv · flat · clean success success
10 pipenv · src/+scripts/ · bandit HIGH failure failure B404, B602
11 requirements · flat · clean (root working dir) success success
12 uv · flat · bandit-only (no pip-audit) failure failure B404, B602 disabled
13 requirements · flat · unfixable vulns (should pass) success success pygments
14 uv · flat · low threshold (B101 assert) failure failure B101 disabled

@lhoupert lhoupert merged commit eaf0f2a into main Mar 29, 2026
12 of 20 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lhoupert