fix(security): bump cryptography, python-multipart, and starlette (python/uv.lock)#685
fix(security): bump cryptography, python-multipart, and starlette (python/uv.lock)#685langwatch-agent wants to merge 2 commits into
Conversation
…0.32 cryptography <48.0.1 (HIGH) and python-multipart <0.0.30 (HIGH + LOW) are fixed by these versions. Surgical uv lock-only bump in python/uv.lock; only these two packages move. cryptography is capped to <49 so it lands on the patched 48.0.1 rather than jumping to the 6-day-old 49.0.0 major release (minimal-churn). starlette is intentionally deferred: its fix (1.3.0/1.3.1) was published 2026-06-11/12 and is still inside the 7-day release-age window; it will follow once that clears. Resolves #456 #457 #458 #459 #460 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI is green, including the Python test (3.12) suite. Ready for human review and merge. Resolves the cryptography (#456, #457) and python-multipart (#458-#460) alerts via the floor bumps in python/uv.lock (cryptography capped <49 to land on patched 48.0.1; python-multipart 0.0.32). starlette deferred to a follow-up: its patched release is still inside the uv exclude-newer cooldown window. |
Clears HIGH alert #462 (starlette < 1.3.1) in python/uv.lock, alongside the cryptography and python-multipart floors already in this PR. starlette is transitive via fastapi (>=0.110, no cap); surgical uv upgrade, 1.2.1 -> 1.3.1. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Folded in starlette 1.2.1 -> 1.3.1, which clears HIGH alert #462 in the same python/uv.lock this PR already touches (surgical uv upgrade; starlette is transitive via fastapi, no cap). Dogfooded: import smoke plus the twilio voice-adapter suite (the starlette consumer) at 23 passed. This PR now closes the scenario cryptography (#456), python-multipart (#460), and starlette (#462) HIGH alerts together. |
|
Only the lockfile changing is suspect? |
|
@langwatch-agent only the lockfile changing is suspect |
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
What
Surgical
uv lockbump inpython/uv.lock: cryptography 48.0.0 -> 48.0.1, python-multipart 0.0.29 -> 0.0.32.Why
Resolves #456, #457, #458, #459, #460.
Notes
<49so it lands on the patched 48.0.1 instead of the 6-day-old 49.0.0 major release (minimal churn / avoid a bleeding-edge major bump).uv lock --checkpasses.