Sync Repo-docs-audits-2026-07-09-dependency-audit from project files
@@ -1,4 +1,4 @@
|
||||
<!-- codex-wiki-sync:f1fafc5723ae15be648cb0f4 -->
|
||||
<!-- codex-wiki-sync:e4c82de96ff1812cee740957 -->
|
||||
|
||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
|
||||
> Origin: `repository`.
|
||||
@@ -14,9 +14,9 @@ cd /mnt/DATA/git/govoplan-core
|
||||
bash scripts/check-dependency-audits.sh
|
||||
```
|
||||
|
||||
Status: completed with Python findings.
|
||||
Status: remediated.
|
||||
|
||||
Result:
|
||||
Initial result:
|
||||
|
||||
- Python audit failed: 24 advisories were reported across `cryptography`,
|
||||
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
||||
@@ -36,6 +36,40 @@ Python findings:
|
||||
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
||||
published on PyPI. That is expected for local editable development installs.
|
||||
|
||||
Follow-up: dependency remediation is tracked separately because upgrading
|
||||
`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper`
|
||||
needs compatibility verification across core and campaign.
|
||||
The remediation below upgrades those dependencies and records the compatibility
|
||||
checks run against core, files, and campaign behavior.
|
||||
|
||||
## Remediation
|
||||
|
||||
Remediation applied on 2026-07-09:
|
||||
|
||||
- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to
|
||||
`starlette==1.3.1`
|
||||
- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving
|
||||
to `cryptography==49.0.0`
|
||||
- declared the files module upload parser dependency as
|
||||
`python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32`
|
||||
- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to
|
||||
`pyzipper==0.4.0`
|
||||
- upgraded the local audit environment to `pip==26.1.2`
|
||||
- removed the obsolete local `govoplan-module-multimailer` editable install
|
||||
from the audit environment so the audit reflects the split module product
|
||||
|
||||
Post-remediation result:
|
||||
|
||||
- `bash scripts/check-dependency-audits.sh`: passed, no known Python
|
||||
vulnerabilities found and npm production audit reported 0 vulnerabilities.
|
||||
- `python -m pip check`: passed.
|
||||
- `bash scripts/check-module-matrix.sh`: passed.
|
||||
- `python -m unittest tests.test_api_smoke`: passed.
|
||||
- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed.
|
||||
|
||||
Notes:
|
||||
|
||||
- `pip-audit` still reports private GovOPlaN packages as skipped because they
|
||||
are not published on PyPI. That is expected for editable local development
|
||||
installs.
|
||||
- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing
|
||||
Starlette's `TestClient` with `httpx`; this is not a vulnerability and does
|
||||
not fail current tests. Track separately if the test client should move to
|
||||
`httpx2`.
|
||||
|
||||
Reference in New Issue
Block a user