Sync Repo-docs-audits-2026-07-09-dependency-audit from project files

2026-07-09 13:19:01 +02:00
parent 75bca04dfe
commit 87a06b0fa1

@@ -0,0 +1,41 @@
<!-- codex-wiki-sync:762734c83e46f85fd15088e5 -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
> Origin: `repository`.
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
---
# Dependency Audit - 2026-07-09
Commands:
```bash
cd /mnt/DATA/git/govoplan-core
scripts/check-dependency-audits.sh
```
Status: pending local execution after audit tooling installation.
Result:
- Python audit failed: 24 advisories were reported across `cryptography`,
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
- npm production audit passed: `npm audit --omit=dev` reported 0
vulnerabilities.
Python findings:
| Package | Installed | Advisory count | Minimum reported fix |
| --- | ---: | ---: | --- |
| `cryptography` | `44.0.0` | 5 | `48.0.1` |
| `pip` | `26.0.1` | 3 | `26.1.2` |
| `python-multipart` | `0.0.17` | 7 | `0.0.31` |
| `pyzipper` | `0.3.6` | 1 | `0.4.0` |
| `starlette` | `0.41.3` | 8 | `1.3.1` |
Private GovOPlaN packages were skipped by `pip-audit` because they are not
published on PyPI. That is expected for local editable development installs.
Follow-up: dependency remediation is tracked separately because upgrading
`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper`
needs compatibility verification across core and campaign.