72 lines
2.6 KiB
Markdown
72 lines
2.6 KiB
Markdown
# Dependency Audit - 2026-07-09
|
|
|
|
Commands:
|
|
|
|
```bash
|
|
cd /mnt/DATA/git/govoplan-core
|
|
bash scripts/check-dependency-audits.sh
|
|
```
|
|
|
|
Status: remediated.
|
|
|
|
Initial result:
|
|
|
|
- Python audit failed: 24 advisories were reported across `cryptography`,
|
|
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
|
- npm production audit passed: `npm audit --omit=dev` reported 0
|
|
vulnerabilities.
|
|
|
|
Python findings:
|
|
|
|
| Package | Installed | Advisory count | Minimum reported fix |
|
|
| --- | ---: | ---: | --- |
|
|
| `cryptography` | `44.0.0` | 5 | `48.0.1` |
|
|
| `pip` | `26.0.1` | 3 | `26.1.2` |
|
|
| `python-multipart` | `0.0.17` | 7 | `0.0.31` |
|
|
| `pyzipper` | `0.3.6` | 1 | `0.4.0` |
|
|
| `starlette` | `0.41.3` | 8 | `1.3.1` |
|
|
|
|
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
|
published on PyPI. That is expected for local editable development installs.
|
|
|
|
The remediation below upgrades those dependencies and records the compatibility
|
|
checks run against core, files, and campaign behavior.
|
|
|
|
## Remediation
|
|
|
|
Remediation applied on 2026-07-09:
|
|
|
|
- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to
|
|
`starlette==1.3.1`
|
|
- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving
|
|
to `cryptography==49.0.0`
|
|
- declared the files module upload parser dependency as
|
|
`python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32`
|
|
- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to
|
|
`pyzipper==0.4.0`
|
|
- upgraded the local audit environment to `pip==26.1.2`
|
|
- removed the obsolete local `govoplan-module-multimailer` editable install
|
|
from the audit environment so the audit reflects the split module product
|
|
|
|
Post-remediation result:
|
|
|
|
- `bash scripts/check-dependency-audits.sh`: passed, no known Python
|
|
vulnerabilities found and npm production audit reported 0 vulnerabilities.
|
|
- `python -m pip check`: passed.
|
|
- `bash scripts/check-module-matrix.sh`: passed.
|
|
- `python -m unittest tests.test_api_smoke`: passed.
|
|
- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed.
|
|
|
|
Notes:
|
|
|
|
- `pip-audit` still reports private GovOPlaN packages as skipped because they
|
|
are not published on PyPI. That is expected for editable local development
|
|
installs.
|
|
- `httpx2>=2.5,<3` is included in development requirements so Starlette's
|
|
`TestClient` uses the non-deprecated backend. `httpx==0.28.1` remains in dev
|
|
requirements for tests that mock connector HTTP responses directly.
|
|
- Split-module API routers now use Starlette's renamed
|
|
`HTTP_422_UNPROCESSABLE_CONTENT` status constant. This preserves the 422
|
|
status code while avoiding the deprecated `HTTP_422_UNPROCESSABLE_ENTITY`
|
|
alias.
|