chore: update vulnerable dependencies#611
Merged
Merged
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
turnipdabeets
approved these changes
May 21, 2026
Contributor
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
examples/example-ai-semantic-kernel/uv.toml:2
**Global prerelease allowance is broader than needed**
`prerelease = "allow"` enables prerelease resolution for _all_ packages in this project, not just `semantic-kernel`. Combined with the `>=`-style lower bounds on `openai`, `opentelemetry-sdk`, etc., this could pull in beta/RC versions of those packages in future lock refreshes, which wasn't the case before. A narrower fix would be to pin the exact prerelease — e.g. `semantic-kernel==1.39.4` — so the global flag is unnecessary, or at minimum document why the global flag is required here.
Reviews (1): Last reviewed commit: "chore: update vulnerable dependencies" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
posthog-python Compliance ReportDate: 2026-05-21 15:23:42 UTC
|
| Test | Status | Duration |
|---|---|---|
| Format Validation.Event Has Required Fields | ✅ | 518ms |
| Format Validation.Event Has Uuid | ✅ | 1507ms |
| Format Validation.Event Has Lib Properties | ✅ | 1507ms |
| Format Validation.Distinct Id Is String | ✅ | 1507ms |
| Format Validation.Token Is Present | ✅ | 1507ms |
| Format Validation.Custom Properties Preserved | ✅ | 1507ms |
| Format Validation.Event Has Timestamp | ✅ | 1507ms |
| Retry Behavior.Retries On 503 | ✅ | 9518ms |
| Retry Behavior.Does Not Retry On 400 | ✅ | 3506ms |
| Retry Behavior.Does Not Retry On 401 | ✅ | 3508ms |
| Retry Behavior.Respects Retry After Header | ✅ | 9514ms |
| Retry Behavior.Implements Backoff | ✅ | 23529ms |
| Retry Behavior.Retries On 500 | ✅ | 7504ms |
| Retry Behavior.Retries On 502 | ✅ | 7508ms |
| Retry Behavior.Retries On 504 | ✅ | 7515ms |
| Retry Behavior.Max Retries Respected | ✅ | 23529ms |
| Deduplication.Generates Unique Uuids | ✅ | 1497ms |
| Deduplication.Preserves Uuid On Retry | ✅ | 7515ms |
| Deduplication.Preserves Uuid And Timestamp On Retry | ✅ | 14513ms |
| Deduplication.Preserves Uuid And Timestamp On Batch Retry | ✅ | 7516ms |
| Deduplication.No Duplicate Events In Batch | ✅ | 1504ms |
| Deduplication.Different Events Have Different Uuids | ✅ | 1506ms |
| Compression.Sends Gzip When Enabled | ✅ | 1507ms |
| Batch Format.Uses Proper Batch Structure | ✅ | 1507ms |
| Batch Format.Flush With No Events Sends Nothing | ✅ | 1005ms |
| Batch Format.Multiple Events Batched Together | ✅ | 1506ms |
| Error Handling.Does Not Retry On 403 | ✅ | 3510ms |
| Error Handling.Does Not Retry On 413 | ✅ | 3506ms |
| Error Handling.Retries On 408 | ✅ | 7513ms |
Feature_Flags Tests
View Details
| Test | Status | Duration |
|---|---|---|
| Request Payload.Request With Person Properties Device Id | ❌ | 507ms |
| Request Payload.Flags Request Uses V2 Query Param | ❌ | 300742ms |
| Request Payload.Flags Request Hits Flags Path Not Decide | ❌ | 300988ms |
| Request Payload.Flags Request Omits Authorization Header | ❌ | 300928ms |
| Request Payload.Token In Flags Body Matches Init | ❌ | 301056ms |
| Request Payload.Groups Round Trip | ❌ | 301032ms |
| Request Payload.Groups Default To Empty Object | ❌ | 301002ms |
| Request Payload.Person Properties Distinct Id Auto Populated When Caller Omits It | ❌ | 300989ms |
| Request Payload.Disable Geoip False Propagates As Geoip Disable False | ❌ | 300988ms |
| Request Payload.Disable Geoip Omitted Defaults To False | ❌ | 301013ms |
| Request Payload.Flag Keys To Evaluate Contains Only Requested Key | ❌ | 300932ms |
| Request Lifecycle.No Flags Request On Init Alone | ❌ | 301051ms |
| Request Lifecycle.No Flags Request On Normal Capture | ❌ | 300938ms |
| Request Lifecycle.Two Flag Calls Produce Two Remote Requests | ❌ | 301028ms |
| Request Lifecycle.Mock Response Value Is Returned To Caller | ❌ | 301011ms |
| Side Effect Events.Get Feature Flag Captures Feature Flag Called Event | ❌ | 301015ms |
Failures
request_payload.request_with_person_properties_device_id
Field 'token' not found in /flags request body at path 'token'. Available keys: ['distinct_id', 'groups', 'person_properties', 'group_properties', 'geoip_disable', 'device_id', 'flag_keys_to_evaluate', 'sentAt', 'api_key']
request_payload.flags_request_uses_v2_query_param
No error message
request_payload.flags_request_hits_flags_path_not_decide
No error message
request_payload.flags_request_omits_authorization_header
No error message
request_payload.token_in_flags_body_matches_init
No error message
request_payload.groups_round_trip
No error message
request_payload.groups_default_to_empty_object
No error message
request_payload.person_properties_distinct_id_auto_populated_when_caller_omits_it
No error message
request_payload.disable_geoip_false_propagates_as_geoip_disable_false
No error message
request_payload.disable_geoip_omitted_defaults_to_false
No error message
request_payload.flag_keys_to_evaluate_contains_only_requested_key
No error message
request_lifecycle.no_flags_request_on_init_alone
No error message
request_lifecycle.no_flags_request_on_normal_capture
No error message
request_lifecycle.two_flag_calls_produce_two_remote_requests
No error message
request_lifecycle.mock_response_value_is_returned_to_caller
No error message
side_effect_events.get_feature_flag_captures_feature_flag_called_event
No error message
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
💡 Motivation and Context
re https://github.com/PostHog/posthog-python/pull/602/checks?check_run_id=77110759108
Socket Security is blocking CI because locked dependency versions include critical CVEs:
This updates the dependency constraints and lockfiles to patched versions. The Semantic Kernel example directly pins
azure-ai-agents==1.2.0b6souvcan resolve Semantic Kernel's patched release without enabling prereleases globally.💚 How did you test it?
uv lock --checkcd integration_tests/django5 && uv lock --checkcd examples/example-ai-semantic-kernel && uv lock --checkuv run --extra test pytest posthog/test/integrations/test_middleware.py --timeout=30 -qcd integration_tests/django5 && uv run pytest test_middleware.py test_exception_capture.py -qcd examples/example-ai-semantic-kernel && uv run python - <<'PY'\nimport importlib.metadata\nimport semantic_kernel\nprint(importlib.metadata.version('semantic-kernel'))\nprint(importlib.metadata.version('azure-ai-agents'))\nPY📝 Checklist
If releasing new changes
sampo addto generate a changeset file