Skip to content

Fix Dependabot security alerts (12 vulnerabilities)#264

Merged
mishushakov merged 6 commits intomainfrom
mishushakov/dependabot-fixes
Apr 30, 2026
Merged

Fix Dependabot security alerts (12 vulnerabilities)#264
mishushakov merged 6 commits intomainfrom
mishushakov/dependabot-fixes

Conversation

@mishushakov
Copy link
Copy Markdown
Member

@mishushakov mishushakov commented Apr 30, 2026

Summary

Resolves all 12 open Dependabot alerts by bumping vulnerable dev/transitive dependencies across the npm and Python projects.

  • npm (pnpm-lock.yaml): postcss → 8.5.12, vite → 7.3.2, brace-expansion → 5.0.5, smol-toml → 1.6.1
  • python/: pytest ^9.0.3, pytest-asyncio ^1.3.0 (required for pytest 9), pillow → 12.2.0, pygments → 2.20.0, python-dotenv → 1.2.2
  • chart_data_extractor/: pytest ^9.0.3, pillow → 12.2.0, pygments → 2.20.0
  • template/requirements.txt: pytest 9.0.3

All updates affect dev or transitive-dev dependencies of the published packages, so no changeset is needed (matching prior security-bump precedent).

Test plan

  • pnpm build in js/ (verified locally)
  • CI green on python and chart_data_extractor test suites with pytest 9 / pytest-asyncio 1.x

🤖 Generated with Claude Code

@mishushakov @claude
Fix Dependabot security alerts
74a920f 
Bump vulnerable npm and Python dev/transitive dependencies:
- npm: postcss, vite, brace-expansion, smol-toml
- python/: pytest (^9.0.3), pytest-asyncio (^1.3.0), pillow, pygments,
  python-dotenv
- chart_data_extractor/: pytest (^9.0.3), pillow, pygments
- template/requirements.txt: pytest 9.0.3

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 30, 2026
edited
Loading

PR Summary

Medium Risk
Primarily lockfile dependency upgrades, but includes major-version bumps (e.g., pytest 9 and vite 7) that can break CI/tests and tighten runtime/tooling requirements (Python/Node). The updated pytest-asyncio integration changes event-loop/fixture lifecycle and could expose latent async test flakiness or cleanup regressions.

Overview
Resolves Dependabot security alerts by upgrading Python and JS dev/transitive dependencies across the repo (notably pillow 12.2.0, pygments 2.20.0, pytest 9.0.3, pytest-asyncio 1.3.0, and JS toolchain updates like vite 7.3.2, postcss 8.5.12, rollup 4.60.2, esbuild 0.27.7).

Adjusts Python test configuration for the pytest-asyncio 1.x upgrade: updates pytest.ini asyncio settings and refactors async_sandbox_factory teardown to be fully async and manage sandbox cleanup via asyncio.gather instead of a custom session event_loop fixture. Also bumps pytest in template/requirements.txt and refreshes Poetry lockfiles/content hashes.

Reviewed by Cursor Bugbot for commit 9cefae1. Bugbot is set up for automated code reviews on this repo. Configure here.

@mishushakov mishushakov enabled auto-merge (squash) April 30, 2026 18:35
cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread python/pyproject.toml
@mishushakov mishushakov disabled auto-merge April 30, 2026 18:41
@mishushakov @claude
Migrate conftest.py to pytest-asyncio 1.x
492b8f9 
The session-scoped event_loop fixture override is no longer honored
in pytest-asyncio 1.x. Replace it with `asyncio_default_fixture_loop_scope`
and `asyncio_default_test_loop_scope` set to session in pytest.ini, and
convert async_sandbox_factory to an async fixture that yields and awaits
sandbox cleanup directly instead of calling run_until_complete from a
sync finalizer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
claude[bot]
claude Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread python/poetry.lock Outdated
Comment thread python/pyproject.toml
cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread python/tests/conftest.py Outdated
mishushakov and others added 2 commits April 30, 2026 20:51
@mishushakov @claude
Regenerate poetry locks with Poetry 1.8.5
2d12421 
CI installs Poetry from .tool-versions (currently 1.8.5). Regenerating
the locks under Poetry 2.1.1 produced lock-version 2.1 with Poetry-2.x-
only metadata, which makes Poetry 1.8.5 fall back to a re-resolve and
defeats the deterministic install this PR depends on.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mishushakov @claude
Make async_sandbox_factory teardown exception-safe
b529018 
Use asyncio.gather(..., return_exceptions=True) so a failure killing
one sandbox doesn't skip cleanup of the others, matching the
independence the previous per-finalizer approach provided.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit b529018. Configure here.

Comment thread chart_data_extractor/poetry.lock Outdated
Comment thread chart_data_extractor/poetry.lock Outdated
@mishushakov @claude
Restrict poetry lock churn to security bumps
9cefae1 
Restore chart_data_extractor/poetry.lock to its Poetry 2.1.1 form
(matches main; pydantic stays at 2.9.2). Rebuild python/poetry.lock
from main with poetry lock --no-update + targeted poetry update for
the vulnerable packages, so runtime deps (attrs, e2b, httpx) stay on
their existing pins instead of pulling latest.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mishushakov mishushakov enabled auto-merge (squash) April 30, 2026 19:01
@mishushakov mishushakov merged commit 4b5da3b into main Apr 30, 2026
14 checks passed
@mishushakov mishushakov deleted the mishushakov/dependabot-fixes branch April 30, 2026 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@claude claude[bot] claude[bot] left review comments

@ValentaTomas ValentaTomas ValentaTomas approved these changes

@jakubno jakubno Awaiting requested review from jakubno jakubno is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mishushakov @ValentaTomas