Implementation Plan: Fix Dependabot Alerts — Bump fastmcp and dynaconf Pins#699
Merged
Trecek merged 1 commit intointegrationfrom Apr 10, 2026
Conversation
… alerts - fastmcp: >=3.1.1 → >=3.2.0 (resolves CRITICAL SSRF #11, HIGH OAuth #10, MEDIUM cmd injection #9) - dynaconf: >=3.2.12 → >=3.2.13 (resolves HIGH RCE via @Jinja #5) - pyjwt: explicit >=2.12.0 lower bound (resolves HIGH crit header bypass #1) - pygments: explicit >=2.20.0 lower bound (resolves LOW ReDoS #8) - uv.lock regenerated: authlib 1.6.8→1.6.9, cryptography 46.0.5→46.0.7, fastmcp 3.1.1→3.2.3, dynaconf 3.2.12→3.2.13, pyjwt 2.11.0→2.12.1, pygments 2.19.2→2.20.0 (resolves transitive alerts #2 #3 #4 #7 #12) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Trecek
commented
Apr 10, 2026
Collaborator
Author
Trecek
left a comment
Trecek
left a comment
There was a problem hiding this comment.
AutoSkillit PR Review — Verdict: needs_human
| "igraph>=1.0", | ||
| "packaging>=23.0", | ||
| "psutil>=7.2.0", | ||
| "pygments>=2.20.0", |
Collaborator
Author
There was a problem hiding this comment.
[warning] defense: pygments>=2.20.0 has no upper bound. For a security-sensitive package being pinned as part of a Dependabot alert fix, an open-ended specifier allows future breaking or vulnerable versions to be pulled in automatically. Consider adding <3.0 to constrain to the current major.
| "packaging>=23.0", | ||
| "psutil>=7.2.0", | ||
| "pygments>=2.20.0", | ||
| "pyjwt>=2.12.0", |
Collaborator
Author
There was a problem hiding this comment.
[warning] defense: pyjwt>=2.12.0 has no upper bound. pyjwt is a security-sensitive package (JWT validation); an open-ended specifier permits future major versions with breaking auth semantics to resolve silently. Consider adding <3.0 to constrain to the current major.
Trecek
deleted the
fix-dependabot-alerts-bump-fastmcp-and-dynaconf-pins/698
branch
This was referenced Apr 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bump two direct dependency lower bounds in
pyproject.tomlto resolve 9 of 11 open Dependabot security alerts, then regenerate the lock file to pull transitive dependencies (PyJWT, Pygments) to safe versions, resolving the remaining 2 alerts. The changes are confined topyproject.tomlanduv.lock— no source code modifications are required.Alerts resolved:
Architecture Impact
Development Diagram
%%{init: {'flowchart': {'nodeSpacing': 50, 'rankSpacing': 60, 'curve': 'basis'}}}%% flowchart TB %% CLASS DEFINITIONS %% classDef cli fill:#1a237e,stroke:#7986cb,stroke-width:2px,color:#fff; classDef stateNode fill:#004d40,stroke:#4db6ac,stroke-width:2px,color:#fff; classDef handler fill:#e65100,stroke:#ffb74d,stroke-width:2px,color:#fff; classDef phase fill:#6a1b9a,stroke:#ba68c8,stroke-width:2px,color:#fff; classDef output fill:#00695c,stroke:#4db6ac,stroke-width:2px,color:#fff; classDef detector fill:#b71c1c,stroke:#ef5350,stroke-width:2px,color:#fff; classDef terminal fill:#1a237e,stroke:#7986cb,stroke-width:2px,color:#fff; classDef newComponent fill:#2e7d32,stroke:#81c784,stroke-width:2px,color:#fff; %% ENTRY %% DEV([Developer Workstation]) subgraph DepMgmt ["● DEPENDENCY MANAGEMENT (PR Focus)"] direction TB PYPROJECT["● pyproject.toml<br/>━━━━━━━━━━<br/>build-backend: hatchling<br/>requires-python: >=3.11<br/>fastmcp >=3.2.0,<4.0<br/>dynaconf >=3.2.13,<4.0<br/>+ 10 other runtime deps"] UVLOCK["● uv.lock<br/>━━━━━━━━━━<br/>~92 packages locked<br/>Regenerated after pin bump<br/>Resolves Dependabot alerts"] PYPROJECT -->|"uv lock"| UVLOCK end subgraph Build ["BUILD TOOLING"] direction TB HATCH["hatchling<br/>━━━━━━━━━━<br/>build-backend<br/>Packages src/autoskillit/<br/>Includes: hooks/, migrations/<br/>.claude-plugin/, .mcp.json"] TASKFILE["Taskfile.yml<br/>━━━━━━━━━━<br/>install-worktree<br/>install-dev<br/>sync-plugin-version<br/>check-docs"] UVLOCK -->|"uv pip install -e .[dev]"| TASKFILE PYPROJECT --> HATCH end subgraph Quality ["PRE-COMMIT QUALITY GATES"] direction LR FORMAT["ruff-format<br/>━━━━━━━━━━<br/>Auto-formats<br/>Python files"] LINT["ruff check --fix<br/>━━━━━━━━━━<br/>E, F, I, UP, TID251<br/>line-length: 99"] MYPY["mypy<br/>━━━━━━━━━━<br/>src/ --ignore-missing-imports<br/>No pyproject config"] UVCHECK["uv-lock-check<br/>━━━━━━━━━━<br/>uv lock --check<br/>Triggers on pyproject.toml<br/>or uv.lock changes"] SECRETS["gitleaks<br/>━━━━━━━━━━<br/>Secret scanning<br/>v8.30.0"] NOWRITE["no-generated-configs<br/>━━━━━━━━━━<br/>Blocks hooks.json +<br/>settings.json commits"] FORMAT --> LINT --> MYPY end subgraph LayerCheck ["IMPORT LAYER ENFORCEMENT"] direction TB IMPORTLINT["import-linter<br/>━━━━━━━━━━<br/>7 layered contracts<br/>L0→L1→L2→L3<br/>Runs before pytest"] end subgraph Testing ["TEST FRAMEWORK"] direction TB PYTEST["pytest + pytest-asyncio<br/>━━━━━━━━━━<br/>asyncio_mode: auto<br/>timeout: 60s<br/>testpaths: tests/"] XDIST["pytest-xdist<br/>━━━━━━━━━━<br/>-n 4 parallel workers<br/>All tests parallelism-safe"] SMOKE["pytest -m smoke<br/>━━━━━━━━━━<br/>E2E tests<br/>Requires ANTHROPIC_API_KEY"] PYTEST --> XDIST PYTEST --> SMOKE end subgraph Tasks ["TASK RUNNER (test targets)"] direction LR TESTALL["task test-all<br/>━━━━━━━━━━<br/>lint-imports + pytest<br/>Human-facing"] TESTCHECK["task test-check<br/>━━━━━━━━━━<br/>TEST_RESULT=PASS/FAIL<br/>Automation/MCP"] end subgraph EntryPoints ["ENTRY POINTS"] EP["autoskillit<br/>━━━━━━━━━━<br/>autoskillit.cli:main<br/>serve / init / config<br/>skills / recipes / doctor"] end %% FLOW %% DEV --> PYPROJECT PYPROJECT --> UVCHECK UVLOCK --> UVCHECK MYPY --> IMPORTLINT IMPORTLINT --> TESTALL IMPORTLINT --> TESTCHECK TESTALL --> PYTEST TESTCHECK --> PYTEST HATCH --> EP DEV -->|"git commit triggers"| FORMAT DEV -->|"git commit triggers"| UVCHECK DEV -->|"git commit triggers"| SECRETS DEV -->|"git commit triggers"| NOWRITE %% CLASS ASSIGNMENTS %% class PYPROJECT,UVLOCK stateNode; class HATCH,TASKFILE phase; class FORMAT,LINT,MYPY,UVCHECK,SECRETS,NOWRITE detector; class IMPORTLINT detector; class PYTEST,XDIST,SMOKE handler; class TESTALL,TESTCHECK phase; class EP output; class DEV terminal;Closes #698
Implementation Plan
Plan file:
.autoskillit/temp/make-plan/fix-dependabot-alerts-bump-fastmcp-and-dynaconf-pins_plan_2026-04-09_201600.md🤖 Generated with Claude Code via AutoSkillit
Token Usage Summary