ROB-623: bump python deps to fix CVEs#2122
Conversation
- pyjwt 2.12.1 -> 2.13.0 (CVE-2026-48526, High) - tornado 6.5.5 -> 6.5.7 (CVE-2026-49853, CVE-2026-49855, High) - cryptography 46.0.7 -> 48.0.1 (GHSA-537c-gmf6-5ccf, High) - python-dotenv 0.18.0 -> 1.2.2 (CVE-2026-28684, Medium) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
✅ Docker image ready for
Use this tag to pull the image for testing. 📋 Copy commandsgcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8e5ef8f
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:8e5ef8f me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8f
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8fPatch Helm values in one line: helm upgrade --install robusta robusta/robusta \
--reuse-values \
--set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:8e5ef8f |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughUpdates four dependency version pins in ChangesDependency Security Updates
Estimated code review effort: 1 (Trivial) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
pyproject.toml was bumped (pyjwt, tornado, cryptography, python-dotenv) but poetry.lock's content-hash was stale, failing the poetry-check pre-commit hook. Update only the content-hash to match; kept the Poetry 1.8.5 / lock-version 2.0 format (no dependency changes). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Fixes CVEs flagged for the
robustaimage in the 2026-07-14 Vanta scan (sub-issue ROB-623 of ROB-595).Dependency bumps
Only these four packages change version in the lock file.
python-dotenv(0.18 → 1.2) is not imported directly insrc/; the four bumped packages install and import together cleanly in a venv smoke test.SLA: before 2026-07-21 (pyjwt due 16 Jul).
🤖 Generated with Claude Code