Skip to content

Update dependencies#3

Merged
CassidyPrather merged 2 commits into
mainfrom
claude/dependabot-vuln-review-k27i24
Jul 4, 2026
Merged

Update dependencies#3
CassidyPrather merged 2 commits into
mainfrom
claude/dependabot-vuln-review-k27i24

Conversation

@CassidyPrather

Copy link
Copy Markdown
Owner

claude added 2 commits July 3, 2026 23:46
cryptography wheels prior to 48.0.1 statically link a copy of OpenSSL
that is vulnerable to the OpenSSL security advisory published
2026-06-09 (https://openssl-library.org/news/secadv/20260609.txt).
Only PyPI wheel users are affected; 48.0.1 rebuilds against a patched
OpenSSL.

cryptography is a dev-only transitive dependency
(twine -> keyring -> secretstorage -> cryptography), so only the lock
is updated; no pyproject.toml constraint is needed. The bump is pinned
to the exact fixed patch release rather than the 49.x major to keep the
change minimal.

Re-scanning every locked package against PyPI's advisory data now
reports no known vulnerabilities.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AQTWuBkS5i8QUJmwihPxFt
Update the two Astral dev tools to the newest releases permitted by the
repo's uv security policy (exclude-newer: 2d for ruff, 1d for ty; both
capped < 1). ruff 0.15.20 and ty 0.0.56 are the latest inside those
windows as of this commit.

ruff 0.15.x refines rule S603 (subprocess-without-shell-equals-true) so
it no longer fires on a subprocess call whose command list is entirely
string literals. That makes the `# noqa: S603` on the fully-literal call
in test_parser_no_subcommand_shows_help unused (flagged by RUF100), so
it is removed. The remaining S603 suppressions stay: those calls build
their command from a runtime `package_name` variable and are still
flagged.

ruff check, ruff format --check, ty check, and pytest all pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AQTWuBkS5i8QUJmwihPxFt
@CassidyPrather CassidyPrather merged commit 470bcac into main Jul 4, 2026
2 checks passed
@CassidyPrather CassidyPrather deleted the claude/dependabot-vuln-review-k27i24 branch July 4, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants