Page:
Repo-docs-audits-2026-07-09-dependency-audit
Pages
Codex Project Index
Product govoplan split concept action plan
Repo-README
Repo README
Repo docs ACCESS RBAC MODEL
Repo docs ACTION EFFECT AUTOMATION LAYER
Repo docs CODEX WORKFLOW
Repo docs CONFIGURATION PACKAGES
Repo-docs-DEPENDENCY-AUDITS
Repo docs DEPENDENCY AUDITS
Repo docs DEPLOYMENT OPERATOR GUIDE
Repo-docs-DOCUMENTATION-MAP
Repo docs DOCUMENTATION MAP
Repo docs EVENTS AND AUDIT
Repo docs GITEA ISSUES
Repo docs GOVERNANCE MODEL
Repo docs GOVOPLAN MASTER ROADMAP
Repo docs INTERFACE ETHICS AND DESIGN DOCTRINE
Repo-docs-MODULE-ARCHITECTURE
Repo docs MODULE ARCHITECTURE
Repo docs POLICY CONTRACTS
Repo docs POSTBOX E2EE ARCHITECTURE
Repo docs PUBLIC SECTOR INTEGRATION STRATEGY
Repo-docs-RELEASE-DEPENDENCIES
Repo docs RELEASE DEPENDENCIES
Repo docs REMOTE WEBUI BUNDLES
Repo docs UI UX DECISION LEDGER
Repo-docs-audits-2026-07-09-dependency-audit
Repo docs audits 2026 07 09 dependency audit
Clone
5
Repo-docs-audits-2026-07-09-dependency-audit
zemion edited this page 2026-07-09 13:51:20 +02:00
Table of Contents
Mirrored from
/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md. Origin:repository. Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
Dependency Audit - 2026-07-09
Commands:
cd /mnt/DATA/git/govoplan-core
bash scripts/check-dependency-audits.sh
Status: remediated.
Initial result:
- Python audit failed: 24 advisories were reported across
cryptography,pip,python-multipart,pyzipper, andstarlette. - npm production audit passed:
npm audit --omit=devreported 0 vulnerabilities.
Python findings:
| Package | Installed | Advisory count | Minimum reported fix |
|---|---|---|---|
cryptography |
44.0.0 |
5 | 48.0.1 |
pip |
26.0.1 |
3 | 26.1.2 |
python-multipart |
0.0.17 |
7 | 0.0.31 |
pyzipper |
0.3.6 |
1 | 0.4.0 |
starlette |
0.41.3 |
8 | 1.3.1 |
Private GovOPlaN packages were skipped by pip-audit because they are not
published on PyPI. That is expected for local editable development installs.
The remediation below upgrades those dependencies and records the compatibility checks run against core, files, and campaign behavior.
Remediation
Remediation applied on 2026-07-09:
- upgraded core's FastAPI floor to
fastapi>=0.139,<1, resolving Starlette tostarlette==1.3.1 - upgraded core's cryptography floor to
cryptography>=48.0.1,<50, resolving tocryptography==49.0.0 - declared the files module upload parser dependency as
python-multipart>=0.0.31,<1, resolving topython-multipart==0.0.32 - upgraded the campaign ZIP dependency to
pyzipper>=0.4,<1, resolving topyzipper==0.4.0 - upgraded the local audit environment to
pip==26.1.2 - removed the obsolete local
govoplan-module-multimailereditable install from the audit environment so the audit reflects the split module product
Post-remediation result:
bash scripts/check-dependency-audits.sh: passed, no known Python vulnerabilities found and npm production audit reported 0 vulnerabilities.python -m pip check: passed.bash scripts/check-module-matrix.sh: passed.python -m unittest tests.test_api_smoke: passed.- campaign encrypted/plain ZIP smoke with
pyzipper==0.4.0: passed.
Notes:
pip-auditstill reports private GovOPlaN packages as skipped because they are not published on PyPI. That is expected for editable local development installs.httpx2>=2.5,<3is included in development requirements so Starlette'sTestClientuses the non-deprecated backend.httpx==0.28.1remains in dev requirements for tests that mock connector HTTP responses directly.- Split-module API routers now use Starlette's renamed
HTTP_422_UNPROCESSABLE_CONTENTstatus constant. This preserves the 422 status code while avoiding the deprecatedHTTP_422_UNPROCESSABLE_ENTITYalias.