deps(security): sync uv.lock with bumped cryptography/python-multipart floors (#2635, #2651)#2725
Open
r266-tech wants to merge 1 commit into
Conversation
…t floors The merged volcengine#2635 (cryptography >=48.0.1, GHSA-537c-gmf6-5ccf HIGH) and volcengine#2651 (python-multipart >=0.0.31, GHSA-5rvq-cxj2-64vf HIGH) raised the floors in pyproject.toml, but the committed root uv.lock still pinned cryptography 46.0.5 and python-multipart 0.0.27. So `uv lock --check` failed on main, and `uv sync` / Docker `uv sync --locked` kept resolving the known-vulnerable versions, leaving the security scanners/Dependabot alerts open. Regenerate the lock (`uv lock --upgrade-package cryptography --upgrade-package python-multipart`): - cryptography 46.0.5 -> 49.0.0 (satisfies >=48.0.1) - python-multipart 0.0.27 -> 0.0.32 (satisfies >=0.0.31) - embedded root requires-dist specifiers raised to match pyproject The regeneration also drops 6 stale greenlet 3.3.2 s390x wheel entries that current uv no longer locks for this resolution (leftovers from an older lock); greenlet's version is unchanged and its sdist remains. `uv lock --check` passes.
PR Code Suggestions ✨No code suggestions found for the PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The merged security floor bumps left the committed root
uv.lockout of sync, sothe canonical lock still resolves the known-vulnerable versions.
Problem
cryptographyto>=48.0.1(GHSA-537c-gmf6-5ccf, HIGH)python-multipartto>=0.0.31(GHSA-5rvq-cxj2-64vf, HIGH)pyproject.tomlon main carries both floors, but the committeduv.lockstillpinned
cryptography 46.0.5andpython-multipart 0.0.27. As a resultuv lock --checkfails onmain, anduv sync/ Dockeruv sync --lockedkeep installing the vulnerable versions — the floor bumps don't actually take
effect for locked installs, and dependency scanners still flag the lock.
Fix
Regenerated with
uv lock --upgrade-package cryptography --upgrade-package python-multipart:cryptography46.0.5 → 49.0.0 (satisfies>=48.0.1)python-multipart0.0.27 → 0.0.32 (satisfies>=0.0.31)requires-distspecifiers raised to matchpyproject.tomluv lock --checknow passes (regenerated with uv 0.11.22, matching CI'sastral-sh/setup-uv@v7).Note on the greenlet lines
The regeneration also drops 6 stale
greenlet3.3.2s390xwheel entries thatcurrent uv no longer locks for this resolution (leftovers from a lock generated
by an older uv). greenlet's version is unchanged, its sdist remains, and s390x
coverage for the other ~50 packages is untouched — this is the same kind of
lock-hygiene cleanup as #2242, and is required for
uv lock --checkto pass oncurrent uv.
Same family as the previously-merged #2242 (“remove stale critical dependency
locks”); complements the already-merged #2635/#2651.