fix(deps): remediate known dependency vulnerabilities and document residual#41
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e29cd20f5f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| pip install -e ".[server]" | ||
| python -m pip_audit |
There was a problem hiding this comment.
When a CVE is reported in pip-audit itself or one of its runner-only dependencies, this no-argument python -m pip_audit will fail the job even though aegis-memory[server] is still clean. The pip-audit CLI documents the no-input form as auditing the current Python environment, and this workflow installs pip-audit into that same environment just before this step, so the new blocking gate is broader than the shipped dependency surface it claims to enforce.
Useful? React with 👍 / 👎.
* fix(ci): scope pip-audit to shipped deps (server/requirements.txt) Addresses Codex review on PR #41: the no-argument pip_audit audited the entire runner environment including pip-audit's own dependencies, broader than the shipped dependency surface the gate claims to enforce. * fix(ci): audit installed shipped surface via isolated pip-audit Addresses second Codex review on PR #42: -r server/requirements.txt skipped pyproject deps (typer, rich, pyyaml, textual, mcp, alembic). pipx run pip-audit audits the installed .[server] environment (pyproject core + extra + requirements) while keeping pip-audit's own deps isolated. Confirmed clean locally. --------- Co-authored-by: arulnidhii <arul.archives@gmail.com>
2 participants
Remediates dependency vulnerabilities flagged by OpenSSF Scorecard. Shipped library (server/requirements.txt + pyproject) audits clean - zero shipped vulns. Benchmark dev-only deps bumped: python-dotenv, sentencepiece, and transformers floored to >=4.53.0,<5 (max compatible with llm-guard 0.3.15). Residual 9 advisories require transformers 5.x which breaks llm-guard - documented as accepted benchmark-only risk in docs/security/vuln-triage.md. Adds shipped-only pip-audit CI gate.