FIX address dependabot alerts by bumping package versions by romanlutz · Pull Request #1460 · microsoft/PyRIT

romanlutz · 2026-03-13T03:19:51Z

Fix 11 Dependabot security alerts

Bump vulnerable dependencies to patched versions.

Python (pyproject.toml + uv.lock):

pypdf ≥6.8.0 — fixes RAM exhaustion via manipulated stream lengths (Cleanup notebook outputs #56)
gradio ≥6.7.0 — fixes SSRF, open redirect, path traversal, and OAuth credential exposure (Refactoring Docs to use JupyText #49–52)
orjson ≥3.11.6 constraint — fixes unlimited recursion for nested JSON (Add Details to Contributor Guide About Forking/PRs #59)
tornado ≥6.5.5 constraint — fixes DoS via multipart parts and cookie validation (Add release instructions #57–58)

npm (frontend/):

minimatch — fixes ReDoS via npm audit fix (Standardizing environment for completions and embeddings #46–47)
@tootallnate/once ≥3.0.1 — fixes incorrect control flow scoping via npm override (Add learn link to README #55)

Not addressed:

diskcache (Update Demo Notebook Prerequisites #30) — no patched version available

tests/unit/scenarios/test_leakage_scenario.py

tests/unit/target/test_websocket_copilot_target.py

- Bump pypdf >=6.7.5 -> >=6.8.0 (direct dep, fixes microsoft#56) - Bump gradio >=5.32.0 -> >=6.7.0 (optional dep, fixes microsoft#49-52) - Add orjson >=3.11.6 constraint (transitive, fixes microsoft#59) - Add tornado >=6.5.5 constraint (transitive, fixes microsoft#57-58) - Fix minimatch ReDoS via npm audit fix (fixes microsoft#46-47) - Add @tootallnate/once >=3.0.1 npm override (fixes microsoft#55) - diskcache microsoft#30 has no patched version available Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

…1460) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

adrian-gavrila reviewed Mar 13, 2026

View reviewed changes

tests/unit/scenarios/test_leakage_scenario.py Show resolved Hide resolved

tests/unit/target/test_websocket_copilot_target.py Show resolved Hide resolved

romanlutz force-pushed the fix/dependabot-alerts branch from 1cef388 to 2b86af3 Compare March 13, 2026 11:59

Merge branch 'main' into fix/dependabot-alerts

43a5eda

adrian-gavrila approved these changes Mar 13, 2026

View reviewed changes

romanlutz merged commit 8ad0d2b into microsoft:main Mar 13, 2026
41 checks passed

romanlutz deleted the fix/dependabot-alerts branch March 13, 2026 17:23

riyosha pushed a commit to riyosha/PyRIT that referenced this pull request Mar 24, 2026

FIX address dependabot alerts by bumping package versions (microsoft#…

df6b9b5

…1460) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FIX address dependabot alerts by bumping package versions#1460

FIX address dependabot alerts by bumping package versions#1460
romanlutz merged 2 commits intomicrosoft:mainfrom
romanlutz:fix/dependabot-alerts

romanlutz commented Mar 13, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

romanlutz commented Mar 13, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants