Skip to content

security: Bump authlib and python-multipart for Dependabot alerts#220

Merged
williajm merged 3 commits into
mainfrom
security/bump-authlib-python-multipart
Apr 22, 2026
Merged

security: Bump authlib and python-multipart for Dependabot alerts#220
williajm merged 3 commits into
mainfrom
security/bump-authlib-python-multipart

Conversation

@williajm
Copy link
Copy Markdown
Owner

@williajm williajm commented Apr 22, 2026
edited
Loading

Summary

Resolves all 5 open Dependabot alerts on mcp_docker:

# Package Manifest Change
25 python-multipart uv.lock 0.0.22 → 0.0.26 (CVE-2026-40347)
27 authlib uv.lock 1.6.9 → 1.7.0 (GHSA-jj8c-mmj3-mmgv)
23 cryptography .clusterfuzzlite/requirements.txt 46.0.6 → 46.0.7 (CVE-2026-39892)
26 authlib .clusterfuzzlite/requirements.txt 1.6.9 → 1.6.11 (GHSA-jj8c-mmj3-mmgv)
28 python-dotenv .clusterfuzzlite/requirements.txt 1.2.1 → 1.2.2 (CVE-2026-28684)

Notes

  • authlib version divergence: uv.lock resolves to 1.7.0 (latest stable) while .clusterfuzzlite/requirements.txt is pinned at 1.6.11. Both include the same security fix. The fuzzer stays on 1.6.11 to avoid adding joserfc 1.6.4 as a new hash-pinned transitive dep — the fuzzer doesn't exercise code paths that require joserfc.
  • uv.lock regenerated without --exclude-newer (an earlier iteration of this PR embedded an [options] exclude-newer block that tripped CI's --locked sync — fixed in commit a7a2ae6).
  • Fuzzer hashes pulled from PyPI JSON API, matching the existing wheel variants (cp311 abi3 manylinux2014_x86_64 for cryptography; pure-python wheels for authlib and python-dotenv).

Test plan

  • CI green across Python 3.11/3.12/3.13/3.14
  • Integration Tests / E2E Tests pass (auth middleware under authlib 1.7.0)
  • PR Fuzzing (address) completes successfully (fuzz harness builds with new hash-pinned deps)
  • Batch Fuzzing + Dependency Review pass

🤖 Generated with Claude Code

williajm and others added 2 commits April 22, 2026 10:41
@williajm @claude
security: Bump authlib 1.6.9 → 1.7.0, python-multipart 0.0.22 → 0.0.26
419dff4 
Resolves Dependabot alerts:
- GHSA-jj8c-mmj3-mmgv (authlib, Moderate)
- CVE-2026-40347 (python-multipart, Moderate)

authlib resolved to 1.7.0 (latest stable) rather than the 1.6.11 minimum
suggested by Dependabot; satisfies the same security fix. Pulls in
joserfc 1.6.4 as a new transitive dep.

Lock regenerated with --exclude-newer (3-day buffer) per supply chain
policy in CLAUDE.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@williajm @claude
fix: Remove exclude-newer block from lock so CI --locked sync works
a7a2ae6 
Previous commit regenerated the lock with --exclude-newer, which
embedded [options] exclude-newer in the lockfile. CI runs
uv sync --all-extras --locked without that flag, and uv rejected the
lock as modified.

Regenerated with UV_EXCLUDE_NEWER unset to match main's lock shape.
Package versions unchanged (authlib 1.7.0, python-multipart 0.0.26).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 22, 2026
edited
Loading

🧪 Test Results for d602397

Summary

All tests passed!

Test Suite Status Passed Failed Skipped Duration
Unit Tests - Python 3.13 966 0 0 15s
Unit Tests - Python 3.12 966 0 0 15s
Unit Tests - Python 3.11 966 0 0 13s
Unit Tests - Python 3.14 966 0 0 14s
E2E 29 0 0 38s
Integration 5 0 0 1s

| Total | ✅ | 3898 | 0 | 0 | - |

📊 Coverage

Coverage reports are available in the workflow artifacts.

📦 Download Reports

📊 View Full Report |
📝 All Checks

@williajm @claude
security: Bump fuzzer deps for Dependabot alerts on .clusterfuzzlite
d602397 
- cryptography 46.0.6 → 46.0.7 (CVE-2026-39892, Moderate)
- authlib 1.6.9 → 1.6.11 (GHSA-jj8c-mmj3-mmgv, Moderate)
- python-dotenv 1.2.1 → 1.2.2 (CVE-2026-28684, Moderate)

SHA256 hashes pulled from PyPI JSON API, matching the same wheel
variants already pinned (cp311 abi3 manylinux2014_x86_64 for
cryptography; pure-python wheels for authlib and python-dotenv).

Using authlib 1.6.11 here rather than 1.7.0 (which is what uv.lock
resolves to) to avoid adding joserfc as a new hash-pinned transitive
in the fuzz harness. Both versions include the GHSA-jj8c-mmj3-mmgv
fix; the fuzzer doesn't exercise the joserfc-dependent code paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 22, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@williajm williajm merged commit b630576 into main Apr 22, 2026
28 checks passed
@williajm williajm deleted the security/bump-authlib-python-multipart branch April 22, 2026 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@williajm