Fix remediation for transitive pip dependency alerts#52
Merged
Conversation
…tive deps When create_bump_pr() can't find a dependency pin (e.g. idna via requests), enable automated security fixes on the repo so Dependabot will attempt the update. Also search pyproject.toml for pip pins. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When CLAUDE_VERBOSE=true, run-claude.sh uses --output-format json. The verdict text is inside a JSON string, so the regex for ```VERDICT_JSON blocks never matched. Now extract_alert_verdict.py parses the JSON event array first and searches the assistant text. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When a pip transitive dependency has no direct pin, detect the repo's lock tool (uv/poetry/pipenv) and run the upgrade in CI. Replaces the request_dependabot_update fallback which did nothing for lock files. New scripts/pip-lock-bump.sh mirrors the npm-bump.sh pattern: upgrade the lock file, commit via API, and open a PR. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When ALERT_PATCHED_VERSION is empty (e.g. manual workflow dispatch), post_alert_action.py now fetches it from the alert API before giving up. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
groovecoder
commented
May 27, 2026
Parametrize TestDetectPipLockTool to make priority order obvious (uv > poetry > pipenv). Extract shared pip env setup into _run_pip_main helper to reduce boilerplate in TestPipLockBumpFlow. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
idnaviarequests) has no direct pin, detect the repo's lock tool (uv/poetry/pipenv) and runuv lock --upgrade-package(or equivalent) to create a bump PR. Previously the script gave up withaction=noop.CLAUDE_VERBOSE=true. The--output-format jsonwraps Claude's text in a JSON event array; the regex forVERDICT_JSONblocks never matched the escaped strings.ALERT_PATCHED_VERSIONis empty (e.g. manual workflow dispatch).Changes
scripts/post_alert_action.py—detect_pip_lock_tool()checks for lock files via the GitHub API.fetch_patched_version()fills in missing patched version from the alert. Also searchespyproject.tomlfor direct pins.scripts/pip-lock-bump.sh— New script mirroringnpm-bump.sh: commits lock file changes via API and opens a PR..github/workflows/investigate-security-alert.yml— Newpip_lock_bumpsteps between npm bump and private fork sections.scripts/extract_alert_verdict.py— Parses JSON session logs to extract assistant text before searching for verdict blocks.scripts/alert_report.py— Addedpip_lock_bumpaction label.Test plan
investigate-security-alertworkflow ondebug-remediatetargetingmozilla/blenderalert ci: add linting workflow and fix shellcheck violations #2 (idna) — should produce a bump PR updating uv.lockCLAUDE_VERBOSE=true) extracts the verdictruff check scripts/andpytest tests/pass (CI covers this)