Skip to content

v4.0.2: bump vulnerable deps#324

Merged
level09 merged 2 commits into
mainfrom
security/v4.0.2-deps
May 6, 2026
Merged

v4.0.2: bump vulnerable deps#324
level09 merged 2 commits into
mainfrom
security/v4.0.2-deps

Conversation

@level09

@level09 level09 commented Apr 25, 2026

Copy link
Copy Markdown
Collaborator

Summary

Patch release addressing 11 open Dependabot advisories in uv.lock (high + medium severity). All fixes are minor/patch-level dependency bumps. No code changes.

Package From To Severity Advisory
lxml 6.0.2 6.1.0 high GHSA-pp7h-53gx-mx7r — XXE in iterparse/ETCompatXMLParser
pillow 12.1.1 12.2.0 high GHSA-2vfv-wwj6-7q47 — FITS GZIP decompression bomb
pypdf 6.10.0 6.10.2 medium 3 advisories — RAM exhaustion via crafted PDFs
python-dotenv 1.2.1 1.2.2 medium symlink-following in set_key
Mako 1.3.10 1.3.11 medium path traversal in TemplateLookup
pytest (dev) 9.0.2 9.0.3 medium vulnerable tmpdir handling

pip <= 26.0.1 (alert #159) is also flagged but no patched version is available yet upstream — left for a follow-up.

Frontend advisories (dompurify, vite, uuid in docs/package-lock.json) are scoped to the docs site and tracked separately.

Test plan

  • uv sync --extra dev clean
  • uv run pytest -q773 passed, 4 skipped in 29.5 s
  • After merge, bump production and tag v4.0.2

@level09 level09 requested a review from apodacaduron as a code owner April 25, 2026 13:11
@level09 level09 self-assigned this Apr 25, 2026
@coderabbitai

coderabbitai Bot commented Apr 25, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7fe2793-9c53-4d61-9031-863ea36787a8

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security/v4.0.2-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@apodacaduron

Copy link
Copy Markdown
Contributor

Test Summary

Tested on a fresh local instance:

  • PDF upload via media import
  • OCR on PDF and image files (JPG, PNG, GIF)
  • Bulletin/Actor/Incident PDF export
  • App startup and .env config loading
  • Setup wizard env var writing
  • General app functionality (navigation, core features) — no regressions observed
  • Data imports — no issues

All passed. Dependency bumps are patch-level with no code changes, automated suite confirms 773/773. Approving.


Notes (unrelated to this PR):

  • /admin/activity/ — “Show Query” inputs should be read-only. Some of them are not, likely since the recent advanced query layout improvements.
  • New admin account — can_self_assign is not applied until the account is saved once via the Users page.
  • /import/media/ — the file picker allows .mov and .webp, which are not supported by default. It seems to be using config.ETL_VID_EXT, but I think this specific case should use config.MEDIA_ALLOWED_EXTENSIONS instead. Also, Step 2 “Attach data to files” has an out-of-place yellow background.

@level09 level09 merged commit f96206f into main May 6, 2026
11 checks passed
@level09 level09 deleted the security/v4.0.2-deps branch May 6, 2026 10:14
@level09

level09 commented May 6, 2026

Copy link
Copy Markdown
Collaborator Author

@apodacaduron Thanks for reporting this. I’ve added these bugs to our Jira roadmap and we’ll address them in an upcoming PRs.

level09 added a commit that referenced this pull request May 14, 2026
## Summary

Updates the existing v4.0.2 changelog section to cover everything that
has landed since #324 (the v4.0.2 prep PR), so the entry reflects what
will actually ship in the v4.0.2 release.

## Added to v4.0.2 entry

**Security**
- urllib3 2.6.3 -> 2.7.0 (high, 2 GHSAs)
- axios 1.15.0 -> 1.16.0 (DoS)

**Fixed**
- Admin Reload button now triggers an actual uWSGI reload (touch-reload
wiring)
- Allowed-extensions validator now accepts up to 5-character extensions
- Restored native browser PDF viewer

## Post-merge

Once this lands, tag `v4.0.2` on the resulting main commit and publish
the GitHub release.

## Test plan

- [x] Changelog renders correctly (markdown sanity check)
- [x] No code changes, docs only
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants