Files
govoplan-core/docs/audits/2026-07-09-dependency-audit.md
2026-07-11 17:00:37 +02:00

2.7 KiB

Dependency Audit - 2026-07-09

Commands:

cd /mnt/DATA/git/govoplan
GOVOPLAN_CORE_ROOT=/mnt/DATA/git/govoplan-core bash tools/checks/check-dependency-audits.sh

Status: remediated.

Initial result:

  • Python audit failed: 24 advisories were reported across cryptography, pip, python-multipart, pyzipper, and starlette.
  • npm production audit passed: npm audit --omit=dev reported 0 vulnerabilities.

Python findings:

Package Installed Advisory count Minimum reported fix
cryptography 44.0.0 5 48.0.1
pip 26.0.1 3 26.1.2
python-multipart 0.0.17 7 0.0.31
pyzipper 0.3.6 1 0.4.0
starlette 0.41.3 8 1.3.1

Private GovOPlaN packages were skipped by pip-audit because they are not published on PyPI. That is expected for local editable development installs.

The remediation below upgrades those dependencies and records the compatibility checks run against core, files, and campaign behavior.

Remediation

Remediation applied on 2026-07-09:

  • upgraded core's FastAPI floor to fastapi>=0.139,<1, resolving Starlette to starlette==1.3.1
  • upgraded core's cryptography floor to cryptography>=48.0.1,<50, resolving to cryptography==49.0.0
  • declared the files module upload parser dependency as python-multipart>=0.0.31,<1, resolving to python-multipart==0.0.32
  • upgraded the campaign ZIP dependency to pyzipper>=0.4,<1, resolving to pyzipper==0.4.0
  • upgraded the local audit environment to pip==26.1.2
  • removed the obsolete local govoplan-module-multimailer editable install from the audit environment so the audit reflects the split module product

Post-remediation result:

  • bash tools/checks/check-dependency-audits.sh: passed, no known Python vulnerabilities found and npm production audit reported 0 vulnerabilities.
  • python -m pip check: passed.
  • bash tools/checks/check-module-matrix.sh: passed.
  • python -m unittest tests.test_api_smoke: passed.
  • campaign encrypted/plain ZIP smoke with pyzipper==0.4.0: passed.

Notes:

  • pip-audit still reports private GovOPlaN packages as skipped because they are not published on PyPI. That is expected for editable local development installs.
  • httpx2>=2.5,<3 is included in development requirements so Starlette's TestClient uses the non-deprecated backend. httpx==0.28.1 remains in dev requirements for tests that mock connector HTTP responses directly.
  • Split-module API routers now use Starlette's renamed HTTP_422_UNPROCESSABLE_CONTENT status constant. This preserves the 422 status code while avoiding the deprecated HTTP_422_UNPROCESSABLE_ENTITY alias.