Skip to content

ROB-623: bump python deps to fix CVEs#2122

Open
Avi-Robusta wants to merge 3 commits into
masterfrom
avi/rob-623-cve-robusta
Open

ROB-623: bump python deps to fix CVEs#2122
Avi-Robusta wants to merge 3 commits into
masterfrom
avi/rob-623-cve-robusta

Conversation

@Avi-Robusta

Copy link
Copy Markdown
Contributor

Fixes CVEs flagged for the robusta image in the 2026-07-14 Vanta scan (sub-issue ROB-623 of ROB-595).

Dependency bumps

Package From To CVE
pyjwt 2.12.1 2.13.0 CVE-2026-48526 (High)
tornado 6.5.5 6.5.7 CVE-2026-49853, CVE-2026-49855 (High)
cryptography 46.0.7 48.0.1 GHSA-537c-gmf6-5ccf (High)
python-dotenv 0.18.0 1.2.2 CVE-2026-28684 (Medium)

Only these four packages change version in the lock file. python-dotenv (0.18 → 1.2) is not imported directly in src/; the four bumped packages install and import together cleanly in a venv smoke test.

SLA: before 2026-07-21 (pyjwt due 16 Jul).

🤖 Generated with Claude Code

- pyjwt 2.12.1 -> 2.13.0 (CVE-2026-48526, High)
- tornado 6.5.5 -> 6.5.7 (CVE-2026-49853, CVE-2026-49855, High)
- cryptography 46.0.7 -> 48.0.1 (GHSA-537c-gmf6-5ccf, High)
- python-dotenv 0.18.0 -> 1.2.2 (CVE-2026-28684, Medium)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

Docker image ready for 8e5ef8f (built in 2m 49s)

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8e5ef8f
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8e5ef8f me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8f
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8f

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8f

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • poetry.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0d5ebb9e-6f41-4e2d-bcca-3f5653fcdaa2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

Updates four dependency version pins in pyproject.toml and adds inline security advisory references.

Changes

Dependency Security Updates

Layer / File(s) Summary
Update dependency version pins
pyproject.toml
Raises the minimum versions for cryptography, pyjwt, python-dotenv, and tornado, with inline advisory comments.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: bumping Python dependencies to address CVEs.
Description check ✅ Passed The description is directly about the dependency bumps and CVEs fixed by the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch avi/rob-623-cve-robusta

Comment @coderabbitai help to get the list of available commands.

moshemorad
moshemorad previously approved these changes Jul 19, 2026
pyproject.toml was bumped (pyjwt, tornado, cryptography, python-dotenv)
but poetry.lock's content-hash was stale, failing the poetry-check
pre-commit hook. Update only the content-hash to match; kept the
Poetry 1.8.5 / lock-version 2.0 format (no dependency changes).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Avi-Robusta
Avi-Robusta enabled auto-merge (squash) July 19, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants