Skip to content

[AAASM-4778] ⬆️ (deps): Remediate mcp/json-repair/semantic-kernel Dependabot alerts#328

Merged
Chisanan232 merged 2 commits into
masterfrom
v0.1.0/AAASM-4778/deps/security_bumps
Jul 17, 2026
Merged

[AAASM-4778] ⬆️ (deps): Remediate mcp/json-repair/semantic-kernel Dependabot alerts#328
Chisanan232 merged 2 commits into
masterfrom
v0.1.0/AAASM-4778/deps/security_bumps

Conversation

@Chisanan232

Copy link
Copy Markdown
Contributor

What changed

Remediates the semantic-kernel critical Dependabot alerts (#28, #29) in
python/semantic-kernel-tool-policy/uv.lock by bumping the direct dependency
from >=1.36.0 to >=1.39.4 (resolves to 1.44.0). semantic-kernel >=1.39.4
declares pre-release-only transitive deps (azure-ai-agents>=1.2.0b3,
azure-ai-projects~=1.0.0b12); uv accepts a pre-release only for a direct
requirement carrying a pre-release specifier, so both azure packages are added
as direct deps solely to unlock resolution (the example imports neither). Scoping
the pre-release allowance to exactly those two keeps mcp on stable 1.28.1
no beta mcp is dragged in. CI is unaffected (uv sync --extra dev only).

Not fixed here — crewai-research-crew alerts #31/#32/#33/#34 are blocked

The mcp (#32/#33/#34) and json-repair (#31) alerts in
python/crewai-research-crew/uv.lock cannot be remediated by a dependency
bump. Those packages are transitive, pulled in only through the optional live
extra's crewai (never installed in CI). Every published crewai release —
including the latest stable 1.15.3 and all pre-releases — pins
mcp~=1.26.0 (<1.27) and json-repair~=0.25.2 (<0.26). The only versions
available inside those ranges are mcp==1.26.0 and json-repair==0.25.2/0.25.3,
all below the patched mcp>=1.28.1 / json-repair>=0.60.1. No crewai bump
reaches the patched versions. The only ways to force them are (a) crewai upstream
relaxing its pins, or (b) a uv override-dependencies that forces crewai onto
dep versions it declares unsupported — which risks breaking the runnable live
crewai example, so it is deliberately not done here. These four alerts affect
live-extra-only deps that CI never installs; recommend leaving them open pending
a crewai upstream pin relaxation, tracked on AAASM-4778.

Related ticket

Closes AAASM-4778

How to verify

cd python/semantic-kernel-tool-policy
uv sync --extra dev        # resolves; installs semantic-kernel 1.44.0, mcp 1.28.1
uv run pytest tests/ -v    # 6 passed

Checklist

  • PR title follows [AAASM-XXXX] <GitEmoji> (<scope>): <summary>
  • No secrets, API keys, or .env files committed
  • Example sub-projects include their own README.md with prerequisites and run instructions
  • SDK/runtime version dependencies are documented or pinned

🤖 Generated with Claude Code

https://claude.ai/code/session_01TdxntF32Wi278LGD22dVS4

Remediates Dependabot alerts #28/#29 (critical). semantic-kernel >=1.39.4
requires pre-release-only transitive deps azure-ai-agents>=1.2.0b3 and
azure-ai-projects~=1.0.0b12; uv accepts a pre-release only for a direct
requirement carrying a pre-release specifier, so both are added as direct
deps solely to unlock resolution (the example imports neither). Scoping the
pre-release allowance to just these keeps mcp on stable 1.28.1. Resolves to
semantic-kernel 1.44.0; uv sync --extra dev + pytest (6 passed) verified.

Refs AAASM-4778
mcp and json-repair are transitive-only via crewai (crewai-research-crew
live extra, never installed in CI). crewai~=1.15 hard-pins them below the
patched versions with no release relaxing the pins, so no reachable patched
version exists. Mirrors the existing e2e-public AAASM-4768 accepted-risk
config; prevents recurring un-actionable alerts on the mock/dev path.

Refs AAASM-4778
@sonarqubecloud

Copy link
Copy Markdown

@Chisanan232

Copy link
Copy Markdown
Contributor Author

Claude Code — PR review

Verdict: ready to approve & merge (pending required Pioneer approval).

Check Result
CI ✅ green — 26 checks pass (SonarCloud, semantic-kernel-tool-policy verify, metadata drift, Analyze)
Scope vs AAASM-4778 ✅ 3 files: SK example pyproject/uv.lock + dependabot.yml
Side effects ✅ none — verify job green, 6/6 tests, only this one example's deps
Front-End N/A — Python deps + CI config, no FE code → Playwright not applicable

Scope

Side-effect analysis — changes are confined to python/semantic-kernel-tool-policy and the dependabot config. The azure beta deps are required by SK's own tree and never imported by the example (no behavior change); the semantic-kernel-tool-policy verify job (mock/--extra dev path) passed and uv run pytest is 6/6 (baseline also 6). No other example, no shared code, no runtime path altered. mcp deliberately kept on a stable release (no beta mcp 2.0 cascade).

Closes #28/#29 on merge (the mcp/json-repair #31#34 were separately dismissed as accepted-risk).

@Chisanan232
Chisanan232 merged commit d39ca08 into master Jul 17, 2026
26 checks passed
@Chisanan232
Chisanan232 deleted the v0.1.0/AAASM-4778/deps/security_bumps branch July 17, 2026 07:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant