Sync Repo-docs-audits-2026-07-09-dependency-audit from project files
@@ -1,4 +1,4 @@
|
|||||||
<!-- codex-wiki-sync:f1fafc5723ae15be648cb0f4 -->
|
<!-- codex-wiki-sync:e4c82de96ff1812cee740957 -->
|
||||||
|
|
||||||
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
|
> Mirrored from `/mnt/DATA/git/govoplan-core/docs/audits/2026-07-09-dependency-audit.md`.
|
||||||
> Origin: `repository`.
|
> Origin: `repository`.
|
||||||
@@ -14,9 +14,9 @@ cd /mnt/DATA/git/govoplan-core
|
|||||||
bash scripts/check-dependency-audits.sh
|
bash scripts/check-dependency-audits.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
Status: completed with Python findings.
|
Status: remediated.
|
||||||
|
|
||||||
Result:
|
Initial result:
|
||||||
|
|
||||||
- Python audit failed: 24 advisories were reported across `cryptography`,
|
- Python audit failed: 24 advisories were reported across `cryptography`,
|
||||||
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
`pip`, `python-multipart`, `pyzipper`, and `starlette`.
|
||||||
@@ -36,6 +36,40 @@ Python findings:
|
|||||||
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
Private GovOPlaN packages were skipped by `pip-audit` because they are not
|
||||||
published on PyPI. That is expected for local editable development installs.
|
published on PyPI. That is expected for local editable development installs.
|
||||||
|
|
||||||
Follow-up: dependency remediation is tracked separately because upgrading
|
The remediation below upgrades those dependencies and records the compatibility
|
||||||
`fastapi`/`starlette`, `cryptography`, `python-multipart`, and `pyzipper`
|
checks run against core, files, and campaign behavior.
|
||||||
needs compatibility verification across core and campaign.
|
|
||||||
|
## Remediation
|
||||||
|
|
||||||
|
Remediation applied on 2026-07-09:
|
||||||
|
|
||||||
|
- upgraded core's FastAPI floor to `fastapi>=0.139,<1`, resolving Starlette to
|
||||||
|
`starlette==1.3.1`
|
||||||
|
- upgraded core's cryptography floor to `cryptography>=48.0.1,<50`, resolving
|
||||||
|
to `cryptography==49.0.0`
|
||||||
|
- declared the files module upload parser dependency as
|
||||||
|
`python-multipart>=0.0.31,<1`, resolving to `python-multipart==0.0.32`
|
||||||
|
- upgraded the campaign ZIP dependency to `pyzipper>=0.4,<1`, resolving to
|
||||||
|
`pyzipper==0.4.0`
|
||||||
|
- upgraded the local audit environment to `pip==26.1.2`
|
||||||
|
- removed the obsolete local `govoplan-module-multimailer` editable install
|
||||||
|
from the audit environment so the audit reflects the split module product
|
||||||
|
|
||||||
|
Post-remediation result:
|
||||||
|
|
||||||
|
- `bash scripts/check-dependency-audits.sh`: passed, no known Python
|
||||||
|
vulnerabilities found and npm production audit reported 0 vulnerabilities.
|
||||||
|
- `python -m pip check`: passed.
|
||||||
|
- `bash scripts/check-module-matrix.sh`: passed.
|
||||||
|
- `python -m unittest tests.test_api_smoke`: passed.
|
||||||
|
- campaign encrypted/plain ZIP smoke with `pyzipper==0.4.0`: passed.
|
||||||
|
|
||||||
|
Notes:
|
||||||
|
|
||||||
|
- `pip-audit` still reports private GovOPlaN packages as skipped because they
|
||||||
|
are not published on PyPI. That is expected for editable local development
|
||||||
|
installs.
|
||||||
|
- FastAPI 0.139 emits deprecation warnings for `fastapi.testclient` importing
|
||||||
|
Starlette's `TestClient` with `httpx`; this is not a vulnerability and does
|
||||||
|
not fail current tests. Track separately if the test client should move to
|
||||||
|
`httpx2`.
|
||||||
|
|||||||
Reference in New Issue
Block a user