Skip to content

Dependabot/moderate-high-critical-severity version bumps#4915

Open
ChrisChapman-gh wants to merge 16 commits into
mainfrom
dependabot/moderate-severity-version-bumps
Open

Dependabot/moderate-high-critical-severity version bumps#4915
ChrisChapman-gh wants to merge 16 commits into
mainfrom
dependabot/moderate-severity-version-bumps

Conversation

Update direct aiohttp pins in api_app, resource_processor/vmss_porter, and the CLI requirements/setup metadata from 3.13.3 to 3.13.4.

This addresses the open moderate Dependabot alerts for aiohttp: #333, #332, #331, #330, #313, #312, #311, #310, #309, #308, #307, #306, #296, #295, #294, and #293. These alerts are fixed by aiohttp 3.13.4.
@ChrisChapman-gh ChrisChapman-gh self-assigned this May 22, 2026
@ChrisChapman-gh ChrisChapman-gh added api Composition Service API dependencies Pull requests that update a dependency file deployment labels May 22, 2026
@github-actions

github-actions Bot commented May 22, 2026

Copy link
Copy Markdown

Unit Test Results

943 tests   943 ✅  36s ⏱️
 29 suites    0 💤
  3 files      0 ❌

Results for commit 1030f42.

♻️ This comment has been updated with latest results.

@marrobi marrobi moved this to Up Next in Azure TRE - Engineering Jul 2, 2026
@marrobi marrobi moved this from Up Next to In Progress in Azure TRE - Engineering Jul 2, 2026
maxmartin-cgi and others added 5 commits July 3, 2026 11:02
Update direct aiohttp pins in api_app, resource_processor/vmss_porter, and the CLI requirements/setup metadata from 3.13.3 to 3.13.4.

This addresses the open moderate Dependabot alerts for aiohttp: #333, #332, #331, #330, #313, #312, #311, #310, #309, #308, #307, #306, #296, #295, #294, and #293. These alerts are fixed by aiohttp 3.13.4.
@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28656861726 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh ChrisChapman-gh changed the title Dependabot/moderate severity version bumps Dependabot/moderate-high-critical severity version bumps Jul 3, 2026
@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28663591304 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28664830515 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28665092962 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28665303017 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh ChrisChapman-gh force-pushed the dependabot/moderate-severity-version-bumps branch from ad2cd6f to 8132b36 Compare July 3, 2026 14:20
@ChrisChapman-gh ChrisChapman-gh changed the title Dependabot/moderate-high-critical severity version bumps Dependabot/moderate-high-severity version bumps Jul 3, 2026
@ChrisChapman-gh

Copy link
Copy Markdown
Collaborator Author

/test-extended

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

🤖 pr-bot 🤖

🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/28667451230 (with refid 943f9a23)

(in response to this comment from @ChrisChapman-gh)

@ChrisChapman-gh ChrisChapman-gh changed the title Dependabot/moderate-high-severity version bumps Dependabot/moderate-high-critical-severity version bumps Jul 3, 2026
@ChrisChapman-gh ChrisChapman-gh marked this pull request as ready for review July 4, 2026 09:16
@ChrisChapman-gh ChrisChapman-gh requested a review from a team as a code owner July 4, 2026 09:16
Copilot AI review requested due to automatic review settings July 4, 2026 09:16

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates JavaScript and Python dependencies across Azure TRE components to address Dependabot moderate/high/critical security alerts, alongside patch-level version bumps for affected services.

Changes:

  • Pin/bump UI tooling dependencies (Vite/Vitest) and update the npm lockfile accordingly.
  • Bump Python dependencies (e.g., aiohttp, PyJWT, pytest, pytest-asyncio) across API/CLI/processors and update component versions.
  • Add changelog entry describing the Dependabot alert remediation.

Reviewed changes

Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
ui/app/package.json Pins/bump UI build/test tool versions (Vite/Vitest).
ui/app/package-lock.json Updates resolved npm dependency graph to match the new UI dependency versions.
resource_processor/vmss_porter/requirements.txt Bumps aiohttp for the resource processor VMSS porter runner.
resource_processor/_version.py Patch bump for resource processor version reflecting dependency change.
e2e_tests/requirements.txt Bumps pytest tooling used by e2e tests.
cli/setup.py Updates packaged CLI dependency pins (PyJWT/aiohttp).
cli/requirements.txt Updates CLI runtime dependency pins (PyJWT/aiohttp).
CHANGELOG.md Notes Dependabot alert remediation in Unreleased BUG FIXES.
api_app/requirements.txt Bumps API runtime dependencies (aiohttp/PyJWT).
api_app/requirements-dev.txt Bumps API dev/test dependencies (pytest/pytest-asyncio).
api_app/_version.py Patch bump for API version reflecting dependency updates.
airlock_processor/requirements-dev.txt Bumps airlock processor dev/test pytest version.
airlock_processor/_version.py Patch bump for airlock processor version reflecting dependency updates.
Files not reviewed (1)
  • ui/app/package-lock.json: Generated file

Comment thread CHANGELOG.md
Comment thread ui/app/package.json
Comment thread ui/app/package-lock.json

@marrobi marrobi left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

airlock api Composition Service API dependencies Pull requests that update a dependency file deployment e2e-tests E2E tests ui TRE UI

Projects

Status: In Progress

Development

Successfully merging this pull request may close these issues.

4 participants