2.7 KiB
2.7 KiB
Dependency Audit - 2026-07-09
Commands:
cd /mnt/DATA/git/govoplan
GOVOPLAN_CORE_ROOT=/mnt/DATA/git/govoplan-core bash tools/checks/check-dependency-audits.sh
Status: remediated.
Initial result:
- Python audit failed: 24 advisories were reported across
cryptography,pip,python-multipart,pyzipper, andstarlette. - npm production audit passed:
npm audit --omit=devreported 0 vulnerabilities.
Python findings:
| Package | Installed | Advisory count | Minimum reported fix |
|---|---|---|---|
cryptography |
44.0.0 |
5 | 48.0.1 |
pip |
26.0.1 |
3 | 26.1.2 |
python-multipart |
0.0.17 |
7 | 0.0.31 |
pyzipper |
0.3.6 |
1 | 0.4.0 |
starlette |
0.41.3 |
8 | 1.3.1 |
Private GovOPlaN packages were skipped by pip-audit because they are not
published on PyPI. That is expected for local editable development installs.
The remediation below upgrades those dependencies and records the compatibility checks run against core, files, and campaign behavior.
Remediation
Remediation applied on 2026-07-09:
- upgraded core's FastAPI floor to
fastapi>=0.139,<1, resolving Starlette tostarlette==1.3.1 - upgraded core's cryptography floor to
cryptography>=48.0.1,<50, resolving tocryptography==49.0.0 - declared the files module upload parser dependency as
python-multipart>=0.0.31,<1, resolving topython-multipart==0.0.32 - upgraded the campaign ZIP dependency to
pyzipper>=0.4,<1, resolving topyzipper==0.4.0 - upgraded the local audit environment to
pip==26.1.2 - removed the obsolete local
govoplan-module-multimailereditable install from the audit environment so the audit reflects the split module product
Post-remediation result:
bash tools/checks/check-dependency-audits.sh: passed, no known Python vulnerabilities found and npm production audit reported 0 vulnerabilities.python -m pip check: passed.bash tools/checks/check-module-matrix.sh: passed.python -m unittest tests.test_api_smoke: passed.- campaign encrypted/plain ZIP smoke with
pyzipper==0.4.0: passed.
Notes:
pip-auditstill reports private GovOPlaN packages as skipped because they are not published on PyPI. That is expected for editable local development installs.httpx2>=2.5,<3is included in development requirements so Starlette'sTestClientuses the non-deprecated backend.httpx==0.28.1remains in dev requirements for tests that mock connector HTTP responses directly.- Split-module API routers now use Starlette's renamed
HTTP_422_UNPROCESSABLE_CONTENTstatus constant. This preserves the 422 status code while avoiding the deprecatedHTTP_422_UNPROCESSABLE_ENTITYalias.