[AAASM-4778] ⬆️ (deps): Remediate mcp/json-repair/semantic-kernel Dependabot alerts#328
Conversation
Remediates Dependabot alerts #28/#29 (critical). semantic-kernel >=1.39.4 requires pre-release-only transitive deps azure-ai-agents>=1.2.0b3 and azure-ai-projects~=1.0.0b12; uv accepts a pre-release only for a direct requirement carrying a pre-release specifier, so both are added as direct deps solely to unlock resolution (the example imports neither). Scoping the pre-release allowance to just these keeps mcp on stable 1.28.1. Resolves to semantic-kernel 1.44.0; uv sync --extra dev + pytest (6 passed) verified. Refs AAASM-4778
mcp and json-repair are transitive-only via crewai (crewai-research-crew live extra, never installed in CI). crewai~=1.15 hard-pins them below the patched versions with no release relaxing the pins, so no reachable patched version exists. Mirrors the existing e2e-public AAASM-4768 accepted-risk config; prevents recurring un-actionable alerts on the mock/dev path. Refs AAASM-4778
|
Claude Code — PR reviewVerdict: ready to approve & merge (pending required Pioneer approval).
Scope
Side-effect analysis — changes are confined to Closes #28/#29 on merge (the mcp/json-repair #31–#34 were separately dismissed as accepted-risk). |



What changed
Remediates the
semantic-kernelcritical Dependabot alerts (#28, #29) inpython/semantic-kernel-tool-policy/uv.lockby bumping the direct dependencyfrom
>=1.36.0to>=1.39.4(resolves to 1.44.0).semantic-kernel >=1.39.4declares pre-release-only transitive deps (
azure-ai-agents>=1.2.0b3,azure-ai-projects~=1.0.0b12); uv accepts a pre-release only for a directrequirement carrying a pre-release specifier, so both azure packages are added
as direct deps solely to unlock resolution (the example imports neither). Scoping
the pre-release allowance to exactly those two keeps
mcpon stable 1.28.1 —no beta
mcpis dragged in. CI is unaffected (uv sync --extra devonly).Not fixed here —
crewai-research-crewalerts #31/#32/#33/#34 are blockedThe
mcp(#32/#33/#34) andjson-repair(#31) alerts inpython/crewai-research-crew/uv.lockcannot be remediated by a dependencybump. Those packages are transitive, pulled in only through the optional
liveextra's
crewai(never installed in CI). Every publishedcrewairelease —including the latest stable
1.15.3and all pre-releases — pinsmcp~=1.26.0(<1.27) andjson-repair~=0.25.2(<0.26). The only versionsavailable inside those ranges are
mcp==1.26.0andjson-repair==0.25.2/0.25.3,all below the patched
mcp>=1.28.1/json-repair>=0.60.1. Nocrewaibumpreaches the patched versions. The only ways to force them are (a) crewai upstream
relaxing its pins, or (b) a uv
override-dependenciesthat forcescrewaiontodep versions it declares unsupported — which risks breaking the runnable
livecrewai example, so it is deliberately not done here. These four alerts affect
live-extra-only deps that CI never installs; recommend leaving them open pendinga crewai upstream pin relaxation, tracked on AAASM-4778.
Related ticket
Closes AAASM-4778
How to verify
Checklist
[AAASM-XXXX] <GitEmoji> (<scope>): <summary>.envfiles committedREADME.mdwith prerequisites and run instructions🤖 Generated with Claude Code
https://claude.ai/code/session_01TdxntF32Wi278LGD22dVS4