Sync Repo-docs-audits-2026-07-09-dependency-audit from project files

2026-07-09 13:36:29 +02:00
parent de3cb00bd5
commit 8c7ffa0773

@@ -1,4 +1,4 @@
<!-- codex-wiki-sync:f1fafc5723ae15be648cb0f4 -->
<!-- codex-wiki-sync:e4c82de96ff1812cee740957 -->
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
> Origin: `repository`.
@@ -14,9 +14,9 @@ cd /mnt/DATA/git/govoplan-core
bash scripts/check-dependency-audits.sh
```
Status: completed with Python findings.
Status: remediated.
Result:
Initial result:
- Python audit failed: 24 advisories were reported across `cryptography`,
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
@@ -36,6 +36,40 @@ Python findings:
Private GovOPlaN packages were skipped by `pip-audit` because they are not
published on PyPI. That is expected for local editable development installs.
Follow-up: dependency remediation is tracked separately because upgrading
`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper`
needs compatibility verification across core and campaign.
The remediation below upgrades those dependencies and records the compatibility
checks run against core, files, and campaign behavior.
## Remediation
Remediation applied on 2026-07-09:
- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to
`starlette==1.3.1`
- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving
to `cryptography==49.0.0`
- declared the files module upload parser dependency as
`python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32`
- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to
`pyzipper==0.4.0`
- upgraded the local audit environment to `pip==26.1.2`
- removed the obsolete local `govoplan-module-multimailer` editable install
from the audit environment so the audit reflects the split module product
Post-remediation result:
- `bash scripts/check-dependency-audits.sh`: passed, no known Python
vulnerabilities found and npm production audit reported 0 vulnerabilities.
- `python -m pip check`: passed.
- `bash scripts/check-module-matrix.sh`: passed.
- `python -m unittest tests.test_api_smoke`: passed.
- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed.
Notes:
- `pip-audit` still reports private GovOPlaN packages as skipped because they
are not published on PyPI. That is expected for editable local development
installs.
- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing
Starlette's `TestClient` with `httpx`; this is not a vulnerability and does
not fail current tests. Track separately if the test client should move to
`httpx2`.