security: Bump authlib → 1.7.2 and idna → 3.15 (CVE-2026-44681, CVE-2026-45409)#222
Merged
Conversation
…bot alerts - authlib: CVE-2026-44681 (moderate) - idna: CVE-2026-45409 (moderate) Updates uv.lock (resolved versions) and .clusterfuzzlite/requirements.txt (hash-pinned). Lock regenerated with --exclude-newer 2026-05-17 per the 3-day supply-chain buffer documented in CLAUDE.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
CI failed on the prior commit because `uv lock` (with UV_EXCLUDE_NEWER=7d
in my local env) stamped `exclude-newer` into uv.lock's manifest. CI runs
`uv sync --locked` without that env var and refused the lockfile
("Resolving despite existing lockfile due to removal of global exclude
newer"). The 3-day buffer is incompatible with --locked installs (per
mcp_kafka/CLAUDE.md guidance, applies equally here) — it is only useful
during lock generation, not in CI.
Regenerated uv.lock with UV_EXCLUDE_NEWER unset so the resulting lockfile
matches what CI will produce. Result is byte-identical to the previous
commit minus the exclude-newer manifest line.
Also bumps the authlib floor in pyproject.toml from >=1.6.11 to >=1.7.1
to prevent regression on CVE-2026-44681.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
🧪 Test Results for
|
| Test Suite | Status | Passed | Failed | Skipped | Duration |
|---|---|---|---|---|---|
| Unit Tests - Python 3.11 | ✅ | 966 | 0 | 0 | 15s |
| Unit Tests - Python 3.13 | ✅ | 966 | 0 | 0 | 14s |
| Unit Tests - Python 3.12 | ✅ | 966 | 0 | 0 | 14s |
| Unit Tests - Python 3.14 | ✅ | 966 | 0 | 0 | 14s |
| Integration | ✅ | 5 | 0 | 0 | 0s |
| E2E | ✅ | 29 | 0 | 0 | 54s |
| Total | ✅ | 3898 | 0 | 0 | - |
📊 Coverage
Coverage reports are available in the workflow artifacts.
📦 Download Reports
Adds --ignore-vuln PYSEC-2025-183 to the pip-audit step, matching the existing pattern for pygments CVE-2026-4539. The advisory is disputed by the supplier (key length is the consumer's responsibility, not the library's), and pyjwt 2.12.1 is the latest published version — no fix is available to upgrade to. This is a pre-existing issue surfaced by the OSV database; it affects main too and was blocking the authlib/idna PR from going green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ow-unneeded ignore The prior fix (commit f0bf518, PR #216) only upgraded pygments in .github/requirements/bandit.txt — the project's own uv.lock was left at 2.19.2, meaning the runtime dependency was still vulnerable and the --ignore-vuln CVE-2026-4539 in pip-audit was masking it. Bumps pygments in uv.lock to 2.20.0 (the published fix) and removes the now-superfluous ignore and its TODO from the pip-audit step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
main:1.7.0 → 1.7.2— CVE-2026-44681 (moderate)3.11 → 3.15— CVE-2026-45409 (moderate)uv.lockand the hash-pinned.clusterfuzzlite/requirements.txt.--exclude-newer 2026-05-17per the 3-day supply-chain buffer documented in CLAUDE.md.Notes
pyproject.toml'sauthlib>=1.6.11constraint already allows the new resolution; no constraint bump required. Happy to tighten it to>=1.7.1if you'd like a belt-and-braces floor.uv sync --locked, unit/integration/E2E, ClusterFuzzLite) will verify the upgrade.Test plan
🤖 Generated with Claude Code