Skip to content

fix(security): bump cryptography, python-multipart, and starlette (python/uv.lock)#685

Open
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/python-security
Open

fix(security): bump cryptography, python-multipart, and starlette (python/uv.lock)#685
langwatch-agent wants to merge 2 commits into
mainfrom
dependabot-scout/python-security

Conversation

@langwatch-agent

Copy link
Copy Markdown
Contributor

What

Surgical uv lock bump in python/uv.lock: cryptography 48.0.0 -> 48.0.1, python-multipart 0.0.29 -> 0.0.32.

Why

Resolves #456, #457, #458, #459, #460.

Notes

  • cryptography is capped to <49 so it lands on the patched 48.0.1 instead of the 6-day-old 49.0.0 major release (minimal churn / avoid a bleeding-edge major bump).
  • Only these two packages change in the lock; uv lock --check passes.
  • starlette is intentionally deferred - its fix (1.3.0/1.3.1) was published 2026-06-11/12 and is still inside the 7-day release-age window; it will follow once that clears (~tomorrow).

…0.32

cryptography <48.0.1 (HIGH) and python-multipart <0.0.30 (HIGH + LOW) are
fixed by these versions. Surgical uv lock-only bump in python/uv.lock; only
these two packages move.

cryptography is capped to <49 so it lands on the patched 48.0.1 rather than
jumping to the 6-day-old 49.0.0 major release (minimal-churn).

starlette is intentionally deferred: its fix (1.3.0/1.3.1) was published
2026-06-11/12 and is still inside the 7-day release-age window; it will follow
once that clears.

Resolves #456 #457 #458 #459 #460

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • python/uv.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 36c2e374-3806-420c-b7b0-56db3da4dbe5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot-scout/python-security

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI is green, including the Python test (3.12) suite. Ready for human review and merge. Resolves the cryptography (#456, #457) and python-multipart (#458-#460) alerts via the floor bumps in python/uv.lock (cryptography capped <49 to land on patched 48.0.1; python-multipart 0.0.32). starlette deferred to a follow-up: its patched release is still inside the uv exclude-newer cooldown window.

Clears HIGH alert #462 (starlette < 1.3.1) in python/uv.lock, alongside the
cryptography and python-multipart floors already in this PR. starlette is
transitive via fastapi (>=0.110, no cap); surgical uv upgrade, 1.2.1 -> 1.3.1.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@langwatch-agent langwatch-agent changed the title fix(security): bump cryptography to 48.0.1 and python-multipart to 0.0.32 fix(security): bump cryptography, python-multipart, and starlette (python/uv.lock) Jul 2, 2026
@langwatch-agent

Copy link
Copy Markdown
Contributor Author

Folded in starlette 1.2.1 -> 1.3.1, which clears HIGH alert #462 in the same python/uv.lock this PR already touches (surgical uv upgrade; starlette is transitive via fastapi, no cap). Dogfooded: import smoke plus the twilio voice-adapter suite (the starlette consumer) at 23 passed. This PR now closes the scenario cryptography (#456), python-multipart (#460), and starlette (#462) HIGH alerts together.

@langwatch-agent

Copy link
Copy Markdown
Contributor Author

CI green after adding starlette. Ready for human review and merge (closes cryptography #456, python-multipart #460, starlette #462).

@drewdrewthis

Copy link
Copy Markdown
Collaborator

Only the lockfile changing is suspect?

@drewdrewthis

Copy link
Copy Markdown
Collaborator

@langwatch-agent only the lockfile changing is suspect

@langwatch-agent langwatch-agent added dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) hound-checked Triaged by the pr-hound agent at the current head SHA labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Automated low-risk assessment

This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.

The PR changes dependency lockfile entries, including a security-sensitive library (cryptography) and other third-party packages; updates to dependencies—especially security/crypto libraries—are not covered by the allowed low-risk categories. The diff also includes an unexpected starlette version bump which may introduce behavioral changes, so this is not limited to innocuous UI/docs/test tweaks and should not be auto-labeled low risk.

This PR requires a manual review before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependabot-scout Opened by the dependabot-scout security-triage agent (shared langwatch-agent bot identity) hound-checked Triaged by the pr-hound agent at the current head SHA

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants