[Security] Lock audit toolbox dependencies flagged by OSV #244

Closed
opened 2026-07-11 12:51:14 +02:00 by zemion · 2 comments
Owner

OSV resolved vulnerable transitive packages from audit/development requirements. These are tooling dependencies, not runtime app dependencies, but the toolbox should still be clean.

Classification: immediate partial fix / rerun required.

Report evidence:

  • osv-scanner-govoplan-core_.json reports filelock 3.9.1, idna 3.9.0, python-multipart 0.0.9, and pip 9.0.3 through requirements resolution.
  • pip-audit-govoplan-core_.json and npm-audit-govoplan-core_.json reported zero runtime vulnerabilities.

Suggested next steps:

  • Add explicit safe floors for filelock, idna, and python-multipart in audit/dev requirements.
  • Rebuild the audit toolbox and re-run OSV.
  • Investigate whether the pip 9.0.3 finding is resolver metadata noise or requires a separate constraints/lock approach.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-audit-toolbox-osv --> OSV resolved vulnerable transitive packages from audit/development requirements. These are tooling dependencies, not runtime app dependencies, but the toolbox should still be clean. Classification: **immediate partial fix / rerun required**. Report evidence: - `osv-scanner-govoplan-core_.json` reports `filelock 3.9.1`, `idna 3.9.0`, `python-multipart 0.0.9`, and `pip 9.0.3` through requirements resolution. - `pip-audit-govoplan-core_.json` and `npm-audit-govoplan-core_.json` reported zero runtime vulnerabilities. Suggested next steps: - Add explicit safe floors for `filelock`, `idna`, and `python-multipart` in audit/dev requirements. - Rebuild the audit toolbox and re-run OSV. - Investigate whether the `pip 9.0.3` finding is resolver metadata noise or requires a separate constraints/lock approach. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
bug
priority
p2
status
ready
module/core
codex/ready
labels 2026-07-11 12:51:14 +02:00
Author
Owner

Codex state update after rerun audit-reports/govoplan-full-20260711-1422:

  • filelock, idna, and python-multipart OSV findings cleared.
  • Remaining OSV finding was only inferred pip 9.0.3 from requirements-audit.txt and requirements-dev.txt.
  • Added explicit pip>=26.1.2 floors locally to both files; keep this issue open until the next audit confirms OSV is clean.
Codex state update after rerun `audit-reports/govoplan-full-20260711-1422`: - `filelock`, `idna`, and `python-multipart` OSV findings cleared. - Remaining OSV finding was only inferred `pip 9.0.3` from `requirements-audit.txt` and `requirements-dev.txt`. - Added explicit `pip>=26.1.2` floors locally to both files; keep this issue open until the next audit confirms OSV is clean.
zemion added the
area/security
audit/quick-fix
source/security-audit
labels 2026-07-11 16:05:48 +02:00
Author
Owner

Codex State: done

Summary

  • The new meta-run full report has no OSV findings: osv-scanner-govoplan_.json, osv-scanner-govoplan-core_.json, and osv-scanner-addideas-govoplan-website_.json all report zero results/packages/vulnerabilities.
  • The audit toolbox dependency issue is therefore resolved by the current dependency pins and meta audit run.

Verification

  • Checked /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529.

Closing this as resolved; future audit-tool dependency drift is tracked by the meta repository audit workflow.

## Codex State: done ### Summary - The new meta-run full report has no OSV findings: `osv-scanner-govoplan_.json`, `osv-scanner-govoplan-core_.json`, and `osv-scanner-addideas-govoplan-website_.json` all report zero results/packages/vulnerabilities. - The audit toolbox dependency issue is therefore resolved by the current dependency pins and meta audit run. ### Verification - Checked `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529`. Closing this as resolved; future audit-tool dependency drift is tracked by the meta repository audit workflow.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#244
No description provided.