fix(FFESUPPORT-725): address Dependabot vulnerabilities#17
Conversation
Resolves all 8 open Dependabot alerts (3 high, 4 medium, 1 low) in this deprecated repository. - pyproject.toml: bump pytest dev constraint ^7.4 -> ^8.4 to pull in 8.3.4+ which patches GHSA-6w46-j5rx-g56g (tmpdir handling). - poetry update: refresh poetry.lock so transitive deps pick up patched versions: urllib3 -> 2.6.3 (GHSA-qccp-gfcp-xxvc, GHSA-mf9v-mfxr-j63j) deepdiff -> 8.6.2 (GHSA-54jj-px8x-5w5q) requests -> 2.32.5 (GHSA-gc5v-m9x4-r6x2) idna -> 3.16 (GHSA-65pc-fj4g-8rjx) dbt-common -> 1.34.2 (GHSA-w75w-9qv4-j5xj) sqlparse -> 0.5.4 (GHSA-27jp-wm6q-gp25) pytest -> 8.4.2 (GHSA-6w46-j5rx-g56g) - 22/22 tests still pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
|
||
| [tool.poetry.group.dev.dependencies] | ||
| pytest = "^7.4" # For running tests | ||
| pytest = "^8.4" # For running tests; >=8.3.4 patches GHSA-6w46-j5rx-g56g |
There was a problem hiding this comment.
🤖 Context from Claude: Bumping pytest from ^7.4 to ^8.4. This is a major bump and pytest 8 has some real deprecation removals (e.g., pytest.warns(None), some collector class changes), but this project's test suite uses only the high-level API (pytest.fixture, pytest.raises, pytest_mock's mocker, simple parametrize), none of which is affected. All 22 tests pass locally on pytest 8.4.2 and the CI run on this PR has 3.9/3.10/3.11/3.12 all green. Sticking on pytest 7.x would leave GHSA-6w46-j5rx-g56g unpatched (advisory is fixed in 8.3.4+), and there is no 7.x backport.
|
🤖 Context from Claude: The poetry.lock diff is large because I ran an unscoped |
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s development test dependency to a patched pytest release as part of resolving Dependabot-reported vulnerabilities in this repository.
Changes:
- Bump
pytestin dev dependencies from^7.4to^8.4to ensure a non-vulnerable version (>=8.3.4) is used.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Closes FFESUPPORT-725.
Resolves all 8 open Dependabot alerts (3 high, 4 medium, 1 low) in this deprecated repository.
Changes
pyproject.toml— bumped devpytestconstraint^7.4→^8.4to pull inpytest>=8.3.4, which patches GHSA-6w46-j5rx-g56g (vulnerable tmpdir handling).poetry.lock— refreshed viapoetry update; transitive deps now resolve to patched versions:urllib32.6.3 — GHSA-qccp-gfcp-xxvc (sensitive headers across origins), GHSA-mf9v-mfxr-j63j (decompression-bomb bypass)deepdiff8.6.2 — GHSA-54jj-px8x-5w5q (memory exhaustion DoS)requests2.32.5 — GHSA-gc5v-m9x4-r6x2 (insecure temp file reuse)idna3.16 — GHSA-65pc-fj4g-8rjx (idna.encode bypass)sqlparse0.5.4 — GHSA-27jp-wm6q-gp25 (formatting list of tuples DoS)pytest8.4.2 — GHSA-6w46-j5rx-g56g (vulnerable tmpdir handling)dbt-common1.34.2 — GHSA-w75w-9qv4-j5xj (commonprefix path traversal)Verification
poetry installcleanpoetry run pytest -v— 22/22 pass (matches theTestsworkflow on Python 3.9–3.12)Note
This PR was generated with Claude Code.