Sync Repo-docs-audits-2026-07-09-dependency-audit from project files
41
Repo-docs-audits-2026-07-09-dependency-audit.-.md
Normal file
41
Repo-docs-audits-2026-07-09-dependency-audit.-.md
Normal file
@@ -0,0 +1,41 @@
|
||||
<!-- codex-wiki-sync:762734c83e46f85fd15088e5 -->
|
||||
|
||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
|
||||
> Origin: `repository`.
|
||||
> Active tasks and changing state belong in Gitea issues; this wiki page is durable project context.
|
||||
|
||||
---
|
||||
# Dependency Audit - 2026-07-09
|
||||
|
||||
Commands:
|
||||
|
||||
```bash
|
||||
cd /mnt/DATA/git/govoplan-core
|
||||
scripts/check-dependency-audits.sh
|
||||
```
|
||||
|
||||
Status: pending local execution after audit tooling installation.
|
||||
|
||||
Result:
|
||||
|
||||
- Python audit failed: 24 advisories were reported across `cryptography`,
|
||||
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
||||
- npm production audit passed: `npm audit --omit=dev` reported 0
|
||||
vulnerabilities.
|
||||
|
||||
Python findings:
|
||||
|
||||
| Package | Installed | Advisory count | Minimum reported fix |
|
||||
| --- | ---: | ---: | --- |
|
||||
| `cryptography` | `44.0.0` | 5 | `48.0.1` |
|
||||
| `pip` | `26.0.1` | 3 | `26.1.2` |
|
||||
| `python-multipart` | `0.0.17` | 7 | `0.0.31` |
|
||||
| `pyzipper` | `0.3.6` | 1 | `0.4.0` |
|
||||
| `starlette` | `0.41.3` | 8 | `1.3.1` |
|
||||
|
||||
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
||||
published on PyPI. That is expected for local editable development installs.
|
||||
|
||||
Follow-up: dependency remediation is tracked separately because upgrading
|
||||
`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper`
|
||||
needs compatibility verification across core and campaign.
|
||||
Reference in New Issue
Block a user