fix: address all 10 Dependabot security vulnerabilities#137
Merged
CurroRodriguez merged 2 commits intomasterfrom Mar 21, 2026
Merged
fix: address all 10 Dependabot security vulnerabilities#137CurroRodriguez merged 2 commits intomasterfrom
CurroRodriguez merged 2 commits intomasterfrom
Conversation
Root cause: requires-python = ">=3.8" forced uv to resolve a Python 3.8 branch where all patched versions of the vulnerable packages were unavailable — they had all dropped Python 3.8 support before issuing their security fixes. Fix: drop Python 3.8 support (raises minimum to Python 3.9) and upgrade all affected packages to their patched versions. pyproject.toml: - Raised requires-python from >=3.8 to >=3.9. - Removed the Python 3.8 classifier. uv.lock: - markdown: 3.7 → 3.9 / 3.10.2 (fixes: Uncaught Exception, alert #10) - pymdown-extensions: 10.15 → 10.21 (fixes: ReDOS in Figure Capture, alert #7) - requests: 2.32.3 → 2.32.5 (fixes: .netrc credentials leak, alert #2) - setuptools: 75.3.x → 82.0.1 (fixes: path traversal / arbitrary file write, alert #1) - urllib3: 2.2.3 / 2.3.0 → 2.6.3 (fixes: decompression bomb, unbounded redirect chain, redirect control, alerts #3 #4 #5 #6 #8) - wheel: 0.45.1 → removed (was a transitive dep of astunparse, which is only needed for Python <3.9; eliminating Python 3.8 support removes this dependency entirely, fixes: path traversal, alert #9) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the project’s minimum supported Python version to unblock Dependabot security upgrades that are unavailable on the Python 3.8 dependency branch, and refreshes the uv lockfile to pull in patched dependency versions.
Changes:
- Raise minimum supported Python from
>=3.8to>=3.9and remove the Python 3.8 classifier. - Regenerate
uv.lockto upgrade vulnerable dependencies to patched versions (e.g.,requests,setuptools,urllib3,markdown,pymdown-extensions) and dropwheel/Python<3.9-only transitive deps.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pyproject.toml |
Drops Python 3.8 support via requires-python and classifiers to enable security upgrades. |
uv.lock |
Re-locks dependencies under Python >=3.9, upgrading vulnerable packages to patched versions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Minimum allowed line rate is |
1 similar comment
Minimum allowed line rate is |
This was referenced Mar 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 10 Dependabot security alerts on the
masterbranch.The root cause was
requires-python = ">=3.8"inpyproject.toml, which forced uv to resolve a Python 3.8 dependency branch where all patched versions of the affected packages were unavailable — they had each dropped Python 3.8 support before issuing their security fixes. Dropping Python 3.8 support eliminates that branch entirely and unblocks the upgrades.Changes:
pyproject.toml— raisedrequires-pythonfrom>=3.8to>=3.9and removed the Python 3.8 classifier.uv.lock— upgraded all affected packages to their patched versions:markdown3.7 → 3.9 / 3.10.2 (Uncaught Exception)pymdown-extensions10.15 → 10.21 (ReDOS in Figure Capture extension)requests2.32.3 → 2.32.5 (.netrc credentials leak via malicious URLs)setuptools75.3.x → 82.0.1 (path traversal / arbitrary file write)urllib32.2.3 / 2.3.0 → 2.6.3 (decompression bomb, unbounded redirect chain, redirect control — alerts Default task is executed if no specific task is specified #3 Completed Main Workflow of Bolt Application #4 Task to delete files from tree #5 Specific task to delete .pyc files #6 Task to copy files from one directory to another #8)wheel0.45.1 → removed (path traversal; was a transitive dep ofastunparsewhich is only required for Python <3.9)All 160 unit tests pass.
References