Skip to content

fix(agentex): bump aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs, agentex server image)#359

Merged
scale-ballen merged 1 commit into
mainfrom
prodsec/agentex-cve-bumps
Jul 13, 2026
Merged

fix(agentex): bump aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs, agentex server image)#359
scale-ballen merged 1 commit into
mainfrom
prodsec/agentex-cve-bumps

Conversation

@scale-ballen

@scale-ballen scale-ballen commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps aiohttp from 3.13.4 → 3.14.1 in the workspace lockfile that the agentex server image builds from.

aiohttp is a transitive dependency (pulled via agentex-sdk / litellm), resolved at 3.13.4. Both server Dockerfiles in scaleapi/agentex (dockerfiles-chainguard/Dockerfile.agentex, dockerfiles-fips/Dockerfile.agentex) build from this workspace's uv.lock (vendored there as the public submodule and copied via COPY public/uv.lock), so the container image ships the vulnerable 3.13.4.

Fix

Added aiohttp>=3.14.1 to [tool.uv] override-dependencies in pyproject.toml, mirroring the existing transitive CVE floors (fastapi/starlette/python-multipart/etc.), then regenerated uv.lock.

Package Installed Fixed
aiohttp 3.13.4 3.14.1

Clears 11 CVEs including CVE-2026-54273 and CVE-2026-54274.

Verification

  • uv lock --upgrade-package aiohttpUpdated aiohttp v3.13.4 -> v3.14.1, 198 packages resolved. All deps resolve from public PyPI (no CodeArtifact needed).
  • Lock diff is limited to the aiohttp package block (version + wheel hashes) plus the manifest override entry — no transitive additions/removals.
  • uv export --frozen --no-dev --package agentex-backend (the exact Dockerfile step) succeeds and pins aiohttp==3.14.1.
  • aiohttp 3.14.1 imports cleanly under CPython 3.12.

Downstream

After merge, the public submodule pointer in scaleapi/agentex should be advanced to include this commit so the server image rebuild picks up the fix.

🤖 Generated with Claude Code

Greptile Summary

Bumps aiohttp from 3.13.4 → 3.14.1 by adding a >=3.14.1 floor to [tool.uv] override-dependencies in pyproject.toml and regenerating uv.lock, clearing 11 CVEs in the transitively-resolved 3.13.x line. The approach mirrors the existing CVE-floor pattern already in place for fastapi, starlette, python-multipart, and others.

  • pyproject.toml: Adds "aiohttp>=3.14.1" to the override-dependencies list with an explanatory comment naming the CVEs fixed; no upper bound is set, keeping the semantics consistent with the other security floors in this block.
  • uv.lock: Version, sdist hash, and all per-platform wheel hashes are updated to 3.14.1; a new typing-extensions dependency entry appears in the aiohttp block (a new runtime requirement in 3.14.x, already present elsewhere in the lock as a transitive dep — no net additions to the lock).

Confidence Score: 5/5

Minimal-footprint security bump: two generated/manifest files changed, no application logic touched.

The only changes are the override-dependencies entry in pyproject.toml and the corresponding regenerated uv.lock block. The pattern is identical to the existing CVE floors already in the file, the floor has no upper bound (safe for a security minimum), and the typing-extensions addition in the aiohttp 3.14.1 dep block is expected and already satisfied by the lockfile. No application code is modified.

No files require special attention. The downstream step of advancing the public submodule pointer in scaleapi/agentex is called out in the PR description and is outside this changeset.

Important Files Changed

Filename Overview
pyproject.toml Adds aiohttp>=3.14.1 override with a descriptive CVE comment; follows the established pattern for security floors in this file exactly.
uv.lock Generated lockfile update: version bumped to 3.14.1, override entry added, all wheel hashes replaced with 3.14.1 hashes, typing-extensions listed as a new dep of aiohttp (already present in the lock elsewhere).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["agentex-sdk / litellm\n(transitive pullers)"] -->|"resolves aiohttp"| B["aiohttp 3.13.4\n❌ 11 CVEs"]
    C["pyproject.toml\noverride-dependencies\naiohttp>=3.14.1"] -->|"uv floor override"| D["uv lock --upgrade-package aiohttp"]
    D --> E["aiohttp 3.14.1\n✅ CVEs cleared"]
    E --> F["uv.lock\n(198 packages, frozen)"]
    F --> G["Dockerfile COPY public/uv.lock\nuv export --frozen --no-dev\n--package agentex-backend"]
    G --> H["agentex server image\naiohttp==3.14.1 pinned"]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["agentex-sdk / litellm\n(transitive pullers)"] -->|"resolves aiohttp"| B["aiohttp 3.13.4\n❌ 11 CVEs"]
    C["pyproject.toml\noverride-dependencies\naiohttp>=3.14.1"] -->|"uv floor override"| D["uv lock --upgrade-package aiohttp"]
    D --> E["aiohttp 3.14.1\n✅ CVEs cleared"]
    E --> F["uv.lock\n(198 packages, frozen)"]
    F --> G["Dockerfile COPY public/uv.lock\nuv export --frozen --no-dev\n--package agentex-backend"]
    G --> H["agentex server image\naiohttp==3.14.1 pinned"]
Loading

Reviews (1): Last reviewed commit: "sec: bump aiohttp 3.13.4 -> 3.14.1 to cl..." | Re-trigger Greptile

aiohttp is a transitive dependency (via agentex-sdk / litellm) resolved at
3.13.4 in the workspace lock, which the agentex server image builds from
(dockerfiles-*/Dockerfile.agentex COPY public/uv.lock). Adds an
`aiohttp>=3.14.1` entry to [tool.uv] override-dependencies, mirroring the
existing transitive CVE floors, and regenerates uv.lock.

Fixed:
- aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs incl. CVE-2026-54273 / CVE-2026-54274)

Lock regenerated with `uv lock --upgrade-package aiohttp` (all deps resolve
from public PyPI; no CodeArtifact needed). Diff is limited to the aiohttp
package block; no transitive additions/removals.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@scale-ballen scale-ballen requested a review from a team as a code owner July 13, 2026 21:20
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedpypi/​aiohttp@​3.13.4 ⏵ 3.14.197 +1100 +21100100100

View full report

@scale-ballen scale-ballen changed the title sec: bump aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs, agentex server image) fix(agentex): bump aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs, agentex server image) Jul 13, 2026
@scale-ballen scale-ballen merged commit 3001351 into main Jul 13, 2026
13 of 15 checks passed
@scale-ballen scale-ballen deleted the prodsec/agentex-cve-bumps branch July 13, 2026 22:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants