From 87a06b0fa1fa373a03edf17ddf6fe81710c3a0cc Mon Sep 17 00:00:00 2001 From: zemion Date: Thu, 9 Jul 2026 13:19:01 +0200 Subject: [PATCH] Sync Repo-docs-audits-2026-07-09-dependency-audit from project files --- ...cs-audits-2026-07-09-dependency-audit.-.md | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 Repo-docs-audits-2026-07-09-dependency-audit.-.md diff --git a/Repo-docs-audits-2026-07-09-dependency-audit.-.md b/Repo-docs-audits-2026-07-09-dependency-audit.-.md new file mode 100644 index 0000000..ee30e39 --- /dev/null +++ b/Repo-docs-audits-2026-07-09-dependency-audit.-.md @@ -0,0 +1,41 @@ + + +> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`. +> Origin: `repository`. +> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context. + +--- +# Dependency Audit - 2026-07-09 + +Commands: + +```bash +cd /mnt/DATA/git/govoplan-core +scripts/check-dependency-audits.sh +``` + +Status: pending local execution after audit tooling installation. + +Result: + +- Python audit failed: 24 advisories were reported across `cryptography`, + `pip`, `python-multipart`, `pyzipper`, and `starlette`. +- npm production audit passed: `npm audit --omit=dev` reported 0 + vulnerabilities. + +Python findings: + +| Package | Installed | Advisory count | Minimum reported fix | +| --- | ---: | ---: | --- | +| `cryptography` | `44.0.0` | 5 | `48.0.1` | +| `pip` | `26.0.1` | 3 | `26.1.2` | +| `python-multipart` | `0.0.17` | 7 | `0.0.31` | +| `pyzipper` | `0.3.6` | 1 | `0.4.0` | +| `starlette` | `0.41.3` | 8 | `1.3.1` | + +Private GovOPlaN packages were skipped by `pip-audit` because they are not +published on PyPI. That is expected for local editable development installs. + +Follow-up: dependency remediation is tracked separately because upgrading +`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper` +needs compatibility verification across core and campaign.