fix(agentex): bump aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs, agentex server image)#359
Merged
Merged
Conversation
aiohttp is a transitive dependency (via agentex-sdk / litellm) resolved at 3.13.4 in the workspace lock, which the agentex server image builds from (dockerfiles-*/Dockerfile.agentex COPY public/uv.lock). Adds an `aiohttp>=3.14.1` entry to [tool.uv] override-dependencies, mirroring the existing transitive CVE floors, and regenerates uv.lock. Fixed: - aiohttp 3.13.4 -> 3.14.1 (clears 11 CVEs incl. CVE-2026-54273 / CVE-2026-54274) Lock regenerated with `uv lock --upgrade-package aiohttp` (all deps resolve from public PyPI; no CodeArtifact needed). Diff is limited to the aiohttp package block; no transitive additions/removals. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
broc-bozeman
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps aiohttp from 3.13.4 → 3.14.1 in the workspace lockfile that the agentex server image builds from.
aiohttpis a transitive dependency (pulled viaagentex-sdk/litellm), resolved at 3.13.4. Both server Dockerfiles inscaleapi/agentex(dockerfiles-chainguard/Dockerfile.agentex,dockerfiles-fips/Dockerfile.agentex) build from this workspace'suv.lock(vendored there as thepublicsubmodule and copied viaCOPY public/uv.lock), so the container image ships the vulnerable 3.13.4.Fix
Added
aiohttp>=3.14.1to[tool.uv] override-dependenciesinpyproject.toml, mirroring the existing transitive CVE floors (fastapi/starlette/python-multipart/etc.), then regenerateduv.lock.Clears 11 CVEs including CVE-2026-54273 and CVE-2026-54274.
Verification
uv lock --upgrade-package aiohttp→Updated aiohttp v3.13.4 -> v3.14.1, 198 packages resolved. All deps resolve from public PyPI (no CodeArtifact needed).aiohttppackage block (version + wheel hashes) plus the manifest override entry — no transitive additions/removals.uv export --frozen --no-dev --package agentex-backend(the exact Dockerfile step) succeeds and pinsaiohttp==3.14.1.aiohttp 3.14.1imports cleanly under CPython 3.12.Downstream
After merge, the
publicsubmodule pointer inscaleapi/agentexshould be advanced to include this commit so the server image rebuild picks up the fix.🤖 Generated with Claude Code
Greptile Summary
Bumps
aiohttpfrom 3.13.4 → 3.14.1 by adding a>=3.14.1floor to[tool.uv] override-dependenciesinpyproject.tomland regeneratinguv.lock, clearing 11 CVEs in the transitively-resolved 3.13.x line. The approach mirrors the existing CVE-floor pattern already in place forfastapi,starlette,python-multipart, and others.pyproject.toml: Adds"aiohttp>=3.14.1"to theoverride-dependencieslist with an explanatory comment naming the CVEs fixed; no upper bound is set, keeping the semantics consistent with the other security floors in this block.uv.lock: Version, sdist hash, and all per-platform wheel hashes are updated to 3.14.1; a newtyping-extensionsdependency entry appears in theaiohttpblock (a new runtime requirement in 3.14.x, already present elsewhere in the lock as a transitive dep — no net additions to the lock).Confidence Score: 5/5
Minimal-footprint security bump: two generated/manifest files changed, no application logic touched.
The only changes are the override-dependencies entry in pyproject.toml and the corresponding regenerated uv.lock block. The pattern is identical to the existing CVE floors already in the file, the floor has no upper bound (safe for a security minimum), and the typing-extensions addition in the aiohttp 3.14.1 dep block is expected and already satisfied by the lockfile. No application code is modified.
No files require special attention. The downstream step of advancing the public submodule pointer in scaleapi/agentex is called out in the PR description and is outside this changeset.
Important Files Changed
aiohttp>=3.14.1override with a descriptive CVE comment; follows the established pattern for security floors in this file exactly.typing-extensionslisted as a new dep of aiohttp (already present in the lock elsewhere).Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A["agentex-sdk / litellm\n(transitive pullers)"] -->|"resolves aiohttp"| B["aiohttp 3.13.4\n❌ 11 CVEs"] C["pyproject.toml\noverride-dependencies\naiohttp>=3.14.1"] -->|"uv floor override"| D["uv lock --upgrade-package aiohttp"] D --> E["aiohttp 3.14.1\n✅ CVEs cleared"] E --> F["uv.lock\n(198 packages, frozen)"] F --> G["Dockerfile COPY public/uv.lock\nuv export --frozen --no-dev\n--package agentex-backend"] G --> H["agentex server image\naiohttp==3.14.1 pinned"]%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A["agentex-sdk / litellm\n(transitive pullers)"] -->|"resolves aiohttp"| B["aiohttp 3.13.4\n❌ 11 CVEs"] C["pyproject.toml\noverride-dependencies\naiohttp>=3.14.1"] -->|"uv floor override"| D["uv lock --upgrade-package aiohttp"] D --> E["aiohttp 3.14.1\n✅ CVEs cleared"] E --> F["uv.lock\n(198 packages, frozen)"] F --> G["Dockerfile COPY public/uv.lock\nuv export --frozen --no-dev\n--package agentex-backend"] G --> H["agentex server image\naiohttp==3.14.1 pinned"]Reviews (1): Last reviewed commit: "sec: bump aiohttp 3.13.4 -> 3.14.1 to cl..." | Re-trigger Greptile