Skip to content

fix(deps): bump vulnerable transitive deps to patched versions#38

Merged
leesaenz merged 1 commit into
mainfrom
security/dependabot-bumps
Jun 21, 2026
Merged

fix(deps): bump vulnerable transitive deps to patched versions#38
leesaenz merged 1 commit into
mainfrom
security/dependabot-bumps

Conversation

@leesaenz

Copy link
Copy Markdown
Collaborator

Resolves 11 of 12 open Dependabot alerts. All are transitive deps pulled through fastmcp → mcp / authlib, bumped via uv lock (only uv.lock changed):

Package Was → Now Alerts
cryptography 47.0.0 → 49.0.0 #20 (high)
starlette 1.2.1 → 1.3.1 #22 (high), #21 (low)
msgpack 1.1.2 → 1.2.1 #23 (high)
pyjwt 2.12.1 → 2.13.0 #14#18 (5 alerts)
pydantic-settings 2.14.0 → 2.14.2 #24 (medium)
python-multipart 0.0.30 → 0.0.32 #19 (low)

Not fixed: torch (#13, low) — no patched release exists upstream; optional separation extra only.

Verification: 969 passed / 44 skipped (identical to pre-bump baseline), ruff check + format clean, server/CLI import smoke clean.

🤖 Generated with Claude Code

Resolves 11 of 12 open Dependabot alerts. All are transitive deps
pulled through fastmcp -> mcp / authlib, bumped via `uv lock`:

  cryptography      47.0.0 -> 49.0.0   (GHSA-537c-gmf6-5ccf, high)
  starlette          1.2.1 -> 1.3.1    (GHSA-82w8-qh3p-5jfq high, -jp82-jpqv-5vv3 low)
  msgpack            1.1.2 -> 1.2.1     (GHSA-6v7p-g79w-8964, high)
  pyjwt             2.12.1 -> 2.13.0    (GHSA-xgmm/-993g/-w7vc/-jq35/-fhv5, 5 alerts)
  pydantic-settings 2.14.0 -> 2.14.2    (GHSA-4xgf-cpjx-pc3j, medium)
  python-multipart  0.0.30 -> 0.0.32    (GHSA-v9pg-7xvm-68hf, low)

torch (GHSA-rrmf-rvhw-rf47, #13) has no patched release; left as-is.
Optional separation extra only.

Verified: 969 passed / 44 skipped (identical to pre-bump baseline),
ruff check + format clean, server/CLI import smoke clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Am9C7U1w5BUopWWw1LFH5u
@leesaenz leesaenz merged commit c3ef978 into main Jun 21, 2026
11 checks passed
@leesaenz leesaenz deleted the security/dependabot-bumps branch June 21, 2026 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant