# Dependency Audit - 2026-07-09 Commands: ```bash cd /mnt/DATA/git/govoplan GOVOPLAN_CORE_ROOT=/mnt/DATA/git/govoplan-core bash tools/checks/check-dependency-audits.sh ``` Status: remediated. Initial result: - Python audit failed: 24 advisories were reported across `cryptography`, `pip`, `python-multipart`, `pyzipper`, and `starlette`. - npm production audit passed: `npm audit --omit=dev` reported 0 vulnerabilities. Python findings: | Package | Installed | Advisory count | Minimum reported fix | | --- | ---: | ---: | --- | | `cryptography` | `44.0.0` | 5 | `48.0.1` | | `pip` | `26.0.1` | 3 | `26.1.2` | | `python-multipart` | `0.0.17` | 7 | `0.0.31` | | `pyzipper` | `0.3.6` | 1 | `0.4.0` | | `starlette` | `0.41.3` | 8 | `1.3.1` | Private GovOPlaN packages were skipped by `pip-audit` because they are not published on PyPI. That is expected for local editable development installs. The remediation below upgrades those dependencies and records the compatibility checks run against core, files, and campaign behavior. ## Remediation Remediation applied on 2026-07-09: - upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to `starlette==1.3.1` - upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving to `cryptography==49.0.0` - declared the files module upload parser dependency as `python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32` - upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to `pyzipper==0.4.0` - upgraded the local audit environment to `pip==26.1.2` - removed the obsolete local mailer-module editable install from the audit environment so the audit reflects the split module product Post-remediation result: - `bash tools/checks/check-dependency-audits.sh`: passed, no known Python vulnerabilities found and npm production audit reported 0 vulnerabilities. - `python -m pip check`: passed. - `bash tools/checks/check-module-matrix.sh`: passed. - `python -m unittest tests.test_api_smoke`: passed. - campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed. Notes: - `pip-audit` still reports private GovOPlaN packages as skipped because they are not published on PyPI. That is expected for editable local development installs. - `httpx2>=2.5,<3` is included in development requirements so Starlette's `TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev requirements for tests that mock connector HTTP responses directly. - Split-module API routers now use Starlette's renamed `HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422 status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY` alias.