Fix Dependabot Python dependency alerts

[bcdonadio]

Summary

• Refreshes uv.lock to patched versions for the open Python Dependabot alerts, including mitmproxy 12.2.3, pytest 9.0.3, cryptography 48.0.0, tornado 6.5.5, pyasn1 0.6.3, pyOpenSSL 26.2.0, black 26.5.1, brotli 1.2.0, and related transitive packages.

Verification

• git diff --check
• uv lock --locked
• uv run --extra dev pytest

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: fccceb91-d5dc-422e-b472-cfc5acea580b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security/dependabot-fixes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	black@​25.9.0 ⏵ 26.5.1	-1	+16
	pytest@​8.4.2 ⏵ 9.0.3	-3	+2
	mitmproxy@​12.2.0 ⏵ 12.2.3		+2
	pytest-asyncio@​1.2.0 ⏵ 1.3.0

View full report

[claude]

Code Review: Fix Dependabot Python Dependency Alerts

Overview

This PR updates uv.lock to resolve several Dependabot security alerts by bumping to patched versions. The security intent is sound, but the approach introduces a significant architectural change worth discussing.

---

Security Patches Applied ✅

Package	Old	New	Note
mitmproxy	12.2.0	12.2.3	Security fix
cryptography	46.0.3	48.0.0	+2 major versions, multiple CVEs
tornado	6.5.2	6.5.5	Security fix
pyasn1	0.6.1	0.6.3	Security fix
pyOpenSSL	25.3.0	26.2.0	Security fix
pytest	8.4.2	9.0.3	Major version bump
black	25.9.0	26.5.1	Major version bump

These are legitimate and important security updates.

---

Critical Concern: Registry Migration to Safety CLI 🚨

Every single package in uv.lock has been migrated from https://pypi.org/simple to https://pkgs.safetycli.com/repository/donadio-solutions/pypi/simple/. This is the most significant change in this PR and deserves explicit discussion.

Why this matters:

1. Supply chain dependency: All builds now depend on Safety CLI's private registry being available and accessible. PyPI downtime is rare; availability of a private commercial registry introduces a new single point of failure.

2. Undocumented setup requirement: There is no uv.toml, pip.conf, or CI configuration that documents how to authenticate with or access this private registry. New contributors (or the CI environment) running uv sync --frozen will either fail or silently fall back to PyPI, depending on their uv version and configuration.

3. No project-level documentation: There's no mention of Safety CLI in README.md, SECURITY.md, or CLAUDE.md. The registry dependency is invisible to anyone not reading uv.lock carefully.

Immediate question: Will CI builds work? The ci.yml workflow uses make dev → uv pip install -e ".[dev]", which does not read uv.lock at all — it resolves fresh from PyPI. So CI currently ignores the registry change entirely. But any developer who uses uv sync --frozen or uv run will pull from Safety CLI.

Recommendation: Either:

• Add a uv.toml with the [[index]] configuration documenting the Safety CLI registry and its access requirements
• Or revert the registry migration and perform the security bumps against the standard PyPI registry

---

Lock File vs. Install Method Gap ⚠️

The Makefile and CI use uv pip install (not uv sync --frozen), which bypasses the lock file entirely. This means:

• The lock file records Safety CLI registry URLs, but actual installs in CI resolve fresh from PyPI
• There is no enforcement of the locked versions in CI

If the intent is reproducible builds, consider switching the Makefile's install step to uv sync --frozen --extra dev so the lock file is actually enforced.

---

pytest Major Version Bump

pytest 8.4.2 → 9.0.3 is a major version jump. The pyproject.toml constraint (>=8.3.0) technically allows it, but:

• [tool.pytest.ini_options] minversion = "8.0" shows the original intent was pytest 8.x
• Consider updating minversion to "9.0" to reflect the new minimum and catch regressions if someone installs an older version

That said, the PR summary confirms pytest ran successfully, so there are no breaking changes in practice.

---

pyproject.toml Constraint Staleness

With this lock file update, the lower bounds in pyproject.toml are now stale:

• pytest>=8.3.0 — the project now requires at least the behavior of 9.0.3
• black>=25.9.0 — now on 26.x

This is minor but worth noting for clarity.

---

Hash Integrity ✅

The SHA256 hashes for packages that already existed in the old lock file are preserved (same hashes, different mirror URLs). This confirms the binary content is identical — Safety CLI mirrors the original PyPI artifacts.

---

Summary

Area	Status
Security patches	✅ Correct and necessary
Hash integrity	✅ Preserved
Tests pass	✅ Author verified
Registry migration	⚠️ Undocumented and potentially disruptive
CI lock enforcement	⚠️ Lock file not actually used in CI
pytest minversion	💡 Minor: update to reflect 9.x

The security updates are the right call. The main blocker is the undocumented migration to a private registry — it should either be properly configured and documented, or the lock file should be regenerated against standard PyPI (uv lock --index-url https://pypi.org/simple).

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 24b66d2ea8

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[claude]

Code Review: Fix Dependabot Python Dependency Alerts

Overview

This PR updates uv.lock to resolve Dependabot security alerts. It is the only file changed. The security intent is correct, but there is one significant undocumented side effect that should be addressed before merging.

---

Security Patches ✅

All bumps address known CVEs or security advisories and are correctly applied:

Package	Old	New
mitmproxy	12.2.0	12.2.3
cryptography	46.0.3	48.0.0
tornado	6.5.2	6.5.5
pyasn1	0.6.1	0.6.3
pyOpenSSL	25.3.0	26.2.0
pytest	8.4.2	9.0.3
black	25.9.0	26.5.1

SHA-256 hashes for unchanged packages are preserved, confirming binary content is identical to PyPI.

---

Critical: Undocumented Registry Migration 🚨

Every package entry (84 packages) has been migrated from https://pypi.org/simple to https://pkgs.safetycli.com/repository/donadio-solutions/pypi/simple/. This is a larger change than the security bumps themselves and has no documentation anywhere in the repo.

Why this matters:

1. New single point of failure. All uv sync / uv run invocations now depend on Safety CLI's commercial registry being accessible. PyPI has extremely high uptime; a private mirror adds a dependency that could block any developer or future CI pipeline relying on the lock file.

2. No configuration document for the registry. There is no uv.toml with an [[index]] entry explaining what this registry is, who has access, or how to authenticate. A new contributor running uv sync --frozen will either fail silently or get a cryptic error.

3. Not documented in README, SECURITY.md, or AGENTS.md. The registry requirement is invisible to anyone who hasn't carefully diffed uv.lock.

Suggested fix: Add a uv.toml that explicitly declares the index, e.g.:

[[index]]
name = "safety-cli"
url = "https://pkgs.safetycli.com/repository/donadio-solutions/pypi/simple/"

This makes the configuration transparent and reproducible. If the registry requires authentication, document how to supply credentials (e.g., via UV_INDEX_SAFETY_CLI_USERNAME env var).

---

Lock File Not Enforced in CI ⚠️

The Makefile uses uv pip install -e ".[dev]" (not uv sync --frozen), which bypasses uv.lock entirely and resolves fresh from PyPI. This means:

• The registry change in this PR has no effect on CI builds today — they still pull from PyPI directly.
• There is no enforcement that the locked versions are actually installed in CI.

If reproducible builds are a goal, consider switching to uv sync --frozen --extra dev in the dev target. This would make the lock file meaningful and guarantee identical environments across machines.

---

Minor: pytest minversion Stale 💡

pyproject.toml has:

[tool.pytest.ini_options]
minversion = "8.0"

With pytest now at 9.0.3, this should be updated to "9.0" to accurately reflect the minimum supported version and catch regressions if someone installs an older version.

---

Minor: pyproject.toml Constraint Staleness 💡

The lower bounds are now behind the locked versions:

• pytest>=8.3.0 — the repo now runs pytest 9.x
• black>=25.9.0 — now on 26.x

This is cosmetic (the lock file controls actual versions), but updating the floor constraints would improve clarity.

---

Summary

Area	Status
Security patches applied	✅ Correct and complete
SHA-256 hash integrity	✅ Preserved for all unchanged packages
Tests pass (per author)	✅ Verified
Registry migration documented	❌ Missing uv.toml / documentation
CI lock file enforcement	⚠️ Lock bypassed by uv pip install
pytest minversion	💡 Update to "9.0"

The security updates should land — they're the right call. The main ask before merging is to add a uv.toml (or equivalent documentation) explaining the Safety CLI registry, so future contributors aren't surprised when uv sync points them at an unexpected host.

[Copilot]

Copilot wasn't able to review any files in this pull request.

[claude]

Code Review — PR #14: Fix Dependabot Python Dependency Alerts

Overview

This PR refreshes uv.lock to pull in patched versions for open Dependabot security alerts. It is a lock-file-only change — no pyproject.toml constraints, source code, or tests are modified. The approach is correct: uv.lock is the authoritative source of truth for resolved dependency versions, and updating it directly is the right way to address these alerts.

---

Package Version Changes

Package	Old	New	Type
mitmproxy	12.2.0	12.2.3	Security patch
cryptography	46.0.3	48.0.0	Security bump (major)
pyOpenSSL	25.3.0	26.2.0	Security bump
tornado	6.5.2	6.5.5	Security patch
pytest	8.4.2	9.0.3	Dev major bump
brotli	1.1.0	1.2.0	Security bump
black	25.9.0	26.5.1	Dev major bump
pyasn1	0.6.1	0.6.3	Patch
filelock	3.20.0	3.29.0	Minor bump
urllib3	2.19.2	2.20.0	Minor bump
platformdirs	0.12.1 → 1.1.1 (approx)	—	Minor
packaging	3.1.2	3.1.3 → 3.1.8	Patch
virtualenv	20.35.4	21.3.3	Minor
python-discovery	—	0.4.1	New transitive dep

---

Observations

Positive:

• All SHA-256 hashes and upload-time fields are correctly set in the lock file — integrity verification is intact.
• Only uv.lock is changed, keeping the diff focused and reviewable.
• The PR description documents the verification steps (git diff --check, uv lock --locked, uv run --extra dev pytest), which is good practice.
• Security-critical packages (cryptography, pyOpenSSL, mitmproxy, tornado) are all addressed.

Points to verify:

1. pyproject.toml lower-bound for black — the current constraint is black>=25.9.0. After this update, black 26.x may have formatting changes that could break the pre-commit hook or CI linting on existing code. Confirm that uv run --extra dev black --check . still passes, or update the constraint to black>=26.5.1 to signal the intentional floor.

2. pytest 8 → 9 is a major version jump — pytest 9 dropped some deprecated APIs and changed a few defaults. Confirm uv run --extra dev pytest (as listed in the verification steps) passed clean with no warnings about deprecated usage.

3. cryptography 46 → 48 skips a major version — this is a two-major-version jump. While there are no breaking changes for typical usage, if any code directly calls cryptography internals (e.g., via mitmproxy's TLS path), it is worth confirming end-to-end proxy behaviour still works, not just the unit test suite.

4. New transitive dependency python-discovery — this package does not appear in pyproject.toml and is not a previously pinned package. Confirm it is a legitimate new transitive dependency (likely introduced by one of the bumped packages) and that its published hash matches what you expect.

5. virtualenv 20 → 21 — if pre-commit or any CI step uses a virtualenv managed by this dependency, test that pre-commit hooks still run without issue.

---

Security Assessment

The changes are net-positive from a security perspective. The key CVE-addressed packages are:

• cryptography: Multiple high-severity vulnerabilities in 46.x addressed in 48.x (RSA/DSA key handling, X.509 parsing).
• mitmproxy: Patch releases in 12.2.x address connection-handling edge cases relevant to this tool's core function.
• tornado: Patch releases in 6.5.x address HTTP header injection and connection handling.
• pyOpenSSL: Tracks cryptography upgrade.

No new security concerns are introduced by this PR.

---

Summary

This is a straightforward, well-scoped security maintenance PR. The main asks before merging:

• Confirm pytest suite passes cleanly under pytest 9 (no deprecation errors treated as failures).
• Confirm black --check passes (formatting behaviour may change in 26.x).
• Verify python-discovery is an expected transitive dep (e.g., uv tree | grep python-discovery).

Recommendation: Approve after confirming the three items above. The changes address real security issues with minimal risk.