v4.0.2: bump vulnerable deps#324
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Test SummaryTested on a fresh local instance:
All passed. Dependency bumps are patch-level with no code changes, automated suite confirms 773/773. Approving. Notes (unrelated to this PR):
|
|
@apodacaduron Thanks for reporting this. I’ve added these bugs to our Jira roadmap and we’ll address them in an upcoming PRs. |
## Summary Updates the existing v4.0.2 changelog section to cover everything that has landed since #324 (the v4.0.2 prep PR), so the entry reflects what will actually ship in the v4.0.2 release. ## Added to v4.0.2 entry **Security** - urllib3 2.6.3 -> 2.7.0 (high, 2 GHSAs) - axios 1.15.0 -> 1.16.0 (DoS) **Fixed** - Admin Reload button now triggers an actual uWSGI reload (touch-reload wiring) - Allowed-extensions validator now accepts up to 5-character extensions - Restored native browser PDF viewer ## Post-merge Once this lands, tag `v4.0.2` on the resulting main commit and publish the GitHub release. ## Test plan - [x] Changelog renders correctly (markdown sanity check) - [x] No code changes, docs only
Summary
Patch release addressing 11 open Dependabot advisories in
uv.lock(high + medium severity). All fixes are minor/patch-level dependency bumps. No code changes.pip <= 26.0.1(alert #159) is also flagged but no patched version is available yet upstream — left for a follow-up.Frontend advisories (
dompurify,vite,uuidindocs/package-lock.json) are scoped to the docs site and tracked separately.Test plan
uv sync --extra devcleanuv run pytest -q— 773 passed, 4 skipped in 29.5 sproductionand tag v4.0.2