Skip to content

fix: resolve open security alerts (pygments, pip, base image CVEs)#174

Merged
BKDDFS merged 2 commits into
mainfrom
claude/modest-poitras-5d1517
Jun 6, 2026
Merged

fix: resolve open security alerts (pygments, pip, base image CVEs)#174
BKDDFS merged 2 commits into
mainfrom
claude/modest-poitras-5d1517

Conversation

@BKDDFS
Copy link
Copy Markdown
Owner

@BKDDFS BKDDFS commented Jun 6, 2026

Summary

Resolves the 4 open security alerts in the repo. No secrets leaked; most prior alerts already fixed via dependabot history.

Alert Issue Fix Status
Dependabot #56 Pygments ReDoS (GUID regex) override pygments>=2.20.0 fully fixed
Code scan #1869 pip 25.3 path traversal (CVE-2026-1703) uninstall unused base-image pip fully fixed
Code scan #1958 gnutls DoS (CVE-2025-14831) apt-get upgrade best-effort*
Code scan #1868 libxml2 leak (CVE-2026-1757) apt-get upgrade best-effort*

* No upstream Debian fix yet (Fixed Version: empty). apt-get upgrade clears these once Debian ships patched packages.

Changes

  • pyproject.toml / uv.lock β€” [tool.uv] override-dependencies forcing pygments>=2.20.0. Kept out of prod deps (transitive via pytest, test-only). Re-locked: 2.19.2 β†’ 2.20.0.
  • Dockerfile β€” apt-get upgrade -y for latest Debian security patches; pip uninstall -y pip to remove the base image's unused pip 25.3 (uv manages the venv, runtime never invokes pip).

Verification

  • uv lock --locked consistent.
  • Docker build succeeds; confirmed in image: pip absent from site-packages, import perfectframe.app OK.

πŸ€– Generated with Claude Code

@BKDDFS
fix: resolve open security alerts (pygments, pip, base image CVEs)
ddd5b13 
- pyproject/uv.lock: override pygments>=2.20.0 (ReDoS CVE in GUID regex,
  Dependabot #56; transitive via pytest)
- Dockerfile: apt-get upgrade for latest Debian security patches
  (mitigates gnutls #1958, libxml2 #1868 β€” best-effort, no upstream fix yet)
- Dockerfile: uninstall unused base-image pip (CVE-2026-1703, #1869);
  uv manages the venv so pip is not needed at runtime
@codecov
Copy link
Copy Markdown

codecov Bot commented Jun 6, 2026

Codecov Report

βœ… All modified and coverable lines are covered by tests.

πŸš€ New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@BKDDFS BKDDFS merged commit 643a3eb into main Jun 6, 2026
9 checks passed
@BKDDFS BKDDFS deleted the claude/modest-poitras-5d1517 branch June 6, 2026 12:03
@github-actions github-actions Bot mentioned this pull request Jun 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BKDDFS