Summary
vanna>=2.0.2 in autobot-backend/requirements.txt has an open CVE with no patched version available upstream (Dependabot alert #298, dismissed 2026-04-04 as tolerable_risk).
Context
Vanna.ai is used for natural language to SQL via Issue #723. The vulnerable version range covers all published releases as of 2026-04-04.
Action
- Monitor the vanna PyPI release page for a patched release
- When a fix is published: bump
vanna>=<patched_version> in autobot-backend/requirements.txt and reopen/close this issue
- If no fix within 90 days, evaluate whether to replace or remove the vanna dependency
References
Summary
vanna>=2.0.2inautobot-backend/requirements.txthas an open CVE with no patched version available upstream (Dependabot alert #298, dismissed 2026-04-04 as tolerable_risk).Context
Vanna.ai is used for natural language to SQL via Issue #723. The vulnerable version range covers all published releases as of 2026-04-04.
Action
vanna>=<patched_version>inautobot-backend/requirements.txtand reopen/close this issueReferences