From 8c7ffa0773c3060a9657be9570143b7d7b481b4d Mon Sep 17 00:00:00 2001 From: zemion Date: Thu, 9 Jul 2026 13:36:29 +0200 Subject: [PATCH] Sync Repo-docs-audits-2026-07-09-dependency-audit from project files --- ...cs-audits-2026-07-09-dependency-audit.-.md | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/Repo-docs-audits-2026-07-09-dependency-audit.-.md b/Repo-docs-audits-2026-07-09-dependency-audit.-.md index c289641..ff69079 100644 --- a/Repo-docs-audits-2026-07-09-dependency-audit.-.md +++ b/Repo-docs-audits-2026-07-09-dependency-audit.-.md @@ -1,4 +1,4 @@ - + > Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`. > Origin: `repository`. @@ -14,9 +14,9 @@ cd /mnt/DATA/git/govoplan-core bash scripts/check-dependency-audits.sh ``` -Status: completed with Python findings. +Status: remediated. -Result: +Initial result: - Python audit failed: 24 advisories were reported across `cryptography`, `pip`, `python-multipart`, `pyzipper`, and `starlette`. @@ -36,6 +36,40 @@ Python findings: Private GovOPlaN packages were skipped by `pip-audit` because they are not published on PyPI. That is expected for local editable development installs. -Follow-up: dependency remediation is tracked separately because upgrading -`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper` -needs compatibility verification across core and campaign. +The remediation below upgrades those dependencies and records the compatibility +checks run against core, files, and campaign behavior. + +## Remediation + +Remediation applied on 2026-07-09: + +- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to + `starlette==1.3.1` +- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving + to `cryptography==49.0.0` +- declared the files module upload parser dependency as + `python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32` +- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to + `pyzipper==0.4.0` +- upgraded the local audit environment to `pip==26.1.2` +- removed the obsolete local `govoplan-module-multimailer` editable install + from the audit environment so the audit reflects the split module product + +Post-remediation result: + +- `bash scripts/check-dependency-audits.sh`: passed, no known Python + vulnerabilities found and npm production audit reported 0 vulnerabilities. +- `python -m pip check`: passed. +- `bash scripts/check-module-matrix.sh`: passed. +- `python -m unittest tests.test_api_smoke`: passed. +- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed. + +Notes: + +- `pip-audit` still reports private GovOPlaN packages as skipped because they + are not published on PyPI. That is expected for editable local development + installs. +- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing + Starlette's `TestClient` with `httpx`; this is not a vulnerability and does + not fail current tests. Track separately if the test client should move to + `httpx2`.