Skip to content

Fix dependency vulnerabilities#220

Open
vavo wants to merge 1 commit into
runpod-workers:mainfrom
vavo:codex/fix-dependency-vulnerabilities
Open

Fix dependency vulnerabilities#220
vavo wants to merge 1 commit into
runpod-workers:mainfrom
vavo:codex/fix-dependency-vulnerabilities

Conversation

@vavo
Copy link
Copy Markdown

@vavo vavo commented Apr 9, 2026

Summary

Fixes currently reproducible dependency vulnerabilities in the worker dependency manifests:

  • updates the RunPod SDK requirement to the 1.9 line
  • pins cryptography==46.0.7, which contains fixes for the currently reported cryptography CVEs
  • makes the Docker image install runtime Python dependencies from requirements.txt, so the manifest fix is actually used by the image build
  • updates @changesets/cli and the lockfile so picomatch resolves to patched 2.3.2

Validation

  • pnpm audit --json
  • pip-audit -r requirements.txt
  • pnpm install --frozen-lockfile
  • bash -n src/*.sh scripts/*.sh
  • python3 -m json.tool package.json
  • python3 -m json.tool test_input.json
  • python3 -m compileall handler.py src
  • docker buildx bake --print base

TimPietruskyRunPod
TimPietruskyRunPod reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@TimPietruskyRunPod TimPietruskyRunPod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed as part of today's triage. Direction is good — security fix + the requirements.txt introduction is a nice cleanup. Two questions before I can approve:

1. Bumping runpod to the 1.9 line

This isn't motivated in the PR description. The previous install line was just runpod (unpinned, latest). What specifically prompted the floor? If it's just for the cryptography resolution, that should come through transitively without us pinning runpod directly. If there's a known incompatibility with older runpod we should call it out so we don't accidentally regress.

Concern: there may be a boto3 1.40 regression breaking S3 uploads to non-AWS providers like Cloudflare R2 and GCS. We're pinning boto3<1.40 in #224 — please check whether runpod>=1.9 drags in a newer botocore/boto3 that would override that pin. If so we'll need a compatible constraint.

2. Changeset

This repo uses Changesets. Could you add a .changeset/fix-dependency-vulnerabilities.md so the security fix gets called out in the release notes? Something like:

---
"worker-comfyui": patch
---

fix: address dependency vulnerabilities — pin `cryptography==46.0.7` (CVE remediation), bump `runpod` floor to 1.9.x, switch handler dependency install to `requirements.txt`, bump `@changesets/cli` to 2.30 (transitive picomatch patch).

Once those are addressed I'll happily approve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TimPietruskyRunPod TimPietruskyRunPod TimPietruskyRunPod left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vavo @TimPietruskyRunPod