[Task] Remediate Python dependency vulnerabilities from 2026-07-09 audit #226

Closed
opened 2026-07-09 13:16:11 +02:00 by zemion · 1 comment
Owner

Context

The dependency audit recorded in govoplan-core/docs/audits/2026-07-09-dependency-audit.md found 24 Python advisories while npm production dependencies reported 0 vulnerabilities.\n\nAffected installed packages from the local audit:\n- cryptography 44.0.0: 5 advisories, minimum reported fix 48.0.1\n- pip 26.0.1: 3 advisories, minimum reported fix 26.1.2\n- python-multipart 0.0.17: 7 advisories, minimum reported fix 0.0.31\n- pyzipper 0.3.6: 1 advisory, minimum reported fix 0.4.0\n- starlette 0.41.3: 8 advisories, minimum reported fix 1.3.1\n\n## Scope\n\n- Upgrade direct constraints in govoplan-core where compatible.\n- Check FastAPI/Starlette compatibility before lifting the Starlette floor.\n- Upgrade govoplan-campaign pyzipper dependency or replace the ZIP encryption dependency if 0.4.0 is not viable.\n- Keep pip remediation in operator/dev environment docs if it is not a project runtime dependency.\n- Rerun scripts/check-dependency-audits.sh and record the new result under docs/audits/.\n\n## Acceptance criteria\n\n- Python audit passes or every remaining advisory has a documented risk acceptance with a follow-up.\n- npm audit still reports 0 production vulnerabilities.\n- Backend module matrix still passes after dependency upgrades.\n

## Context The dependency audit recorded in govoplan-core/docs/audits/2026-07-09-dependency-audit.md found 24 Python advisories while npm production dependencies reported 0 vulnerabilities.\n\nAffected installed packages from the local audit:\n- cryptography 44.0.0: 5 advisories, minimum reported fix 48.0.1\n- pip 26.0.1: 3 advisories, minimum reported fix 26.1.2\n- python-multipart 0.0.17: 7 advisories, minimum reported fix 0.0.31\n- pyzipper 0.3.6: 1 advisory, minimum reported fix 0.4.0\n- starlette 0.41.3: 8 advisories, minimum reported fix 1.3.1\n\n## Scope\n\n- Upgrade direct constraints in govoplan-core where compatible.\n- Check FastAPI/Starlette compatibility before lifting the Starlette floor.\n- Upgrade govoplan-campaign pyzipper dependency or replace the ZIP encryption dependency if 0.4.0 is not viable.\n- Keep pip remediation in operator/dev environment docs if it is not a project runtime dependency.\n- Rerun scripts/check-dependency-audits.sh and record the new result under docs/audits/.\n\n## Acceptance criteria\n\n- Python audit passes or every remaining advisory has a documented risk acceptance with a follow-up.\n- npm audit still reports 0 production vulnerabilities.\n- Backend module matrix still passes after dependency upgrades.\n
zemion added the
type
task
priority
p1
status
ready
module/core
codex/ready
area/release
labels 2026-07-09 13:16:11 +02:00
Author
Owner

Remediated.

Dependency changes:

  • govoplan-core: fastapi>=0.139,<1, cryptography>=48.0.1,<50
  • govoplan-files: python-multipart>=0.0.31,<1 declared explicitly for upload routes
  • govoplan-campaign: pyzipper>=0.4,<1
  • local audit env: pip upgraded to 26.1.2; obsolete govoplan-module-multimailer editable install removed

Resolved installed versions in the dev venv:

  • fastapi==0.139.0
  • starlette==1.3.1
  • cryptography==49.0.0
  • python-multipart==0.0.32
  • pyzipper==0.4.0
  • pip==26.1.2

Verification:

  • bash scripts/check-dependency-audits.sh: passed, no known Python vulnerabilities and npm production audit 0 vulnerabilities
  • python -m pip check: passed
  • bash scripts/check-module-matrix.sh: passed
  • python -m unittest tests.test_api_smoke: passed
  • campaign plain/encrypted ZIP smoke with pyzipper 0.4.0: passed

Traceability: govoplan-core/docs/audits/2026-07-09-dependency-audit.md and the matching wiki page were updated with the remediation result.

Remediated. Dependency changes: - govoplan-core: fastapi>=0.139,<1, cryptography>=48.0.1,<50 - govoplan-files: python-multipart>=0.0.31,<1 declared explicitly for upload routes - govoplan-campaign: pyzipper>=0.4,<1 - local audit env: pip upgraded to 26.1.2; obsolete govoplan-module-multimailer editable install removed Resolved installed versions in the dev venv: - fastapi==0.139.0 - starlette==1.3.1 - cryptography==49.0.0 - python-multipart==0.0.32 - pyzipper==0.4.0 - pip==26.1.2 Verification: - bash scripts/check-dependency-audits.sh: passed, no known Python vulnerabilities and npm production audit 0 vulnerabilities - python -m pip check: passed - bash scripts/check-module-matrix.sh: passed - python -m unittest tests.test_api_smoke: passed - campaign plain/encrypted ZIP smoke with pyzipper 0.4.0: passed Traceability: govoplan-core/docs/audits/2026-07-09-dependency-audit.md and the matching wiki page were updated with the remediation result.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#226
No description provided.