fix(deps): consolidate remediation grype/cargo-audit vulnerabilities across npm, python, rust, and go#668
Merged
Merged
Conversation
Remediate grype/syft-reported advisories across ecosystems. npm: - docs/docusaurus: override http-proxy-middleware ^2.0.10, js-yaml@^3 ^3.15.0 - 516 chat-with-your-factory: override uuid@^11 ^11.1.1 python: - .github/requirements/checkov: aiohttp>=3.14.1 - 510 camera-dashboard: lxml-html-clean>=0.4.5, relax lxml>=6.1.1, aiohttp 3.14.1 - 506 ros2-connector: numpy 2.5.1, remove unused opencv-python (resolves 4->5 dependabot) rust: - 507 ai-inference: crossbeam-epoch 0.9.20 (clears RUSTSEC-2026-0204), tracing-opentelemetry 0.33 / opentelemetry_sdk 0.32 - 511 wasm map operator: crossbeam-epoch 0.9.20 go: - GO-2026-5932 verified unreachable; no suppression required Root requirements aiohttp left at 3.13.5 due to checkov~=3.3.6 cap (see ID-01).
📚 Documentation Health ReportGenerated on: 2026-07-09 13:47:29 UTC 📈 Documentation Statistics
🏗️ Three-Tree Architecture Status
🔍 Quality Metrics
This report is automatically generated by the Documentation Automation workflow. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #668 +/- ##
=======================================
Coverage 31.79% 31.79%
=======================================
Files 40 40
Lines 6017 6017
=======================================
Hits 1913 1913
Misses 4104 4104
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
bindsi
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR remediates the dependency advisories surfaced by grype/syft and cargo-audit for the tracking issue, touching only dependency manifests and their compiled lockfiles across four ecosystems. No application logic changed. Each ecosystem uses its idiomatic pinning mechanism — npm overrides, pip-compile .in/.txt pairs, and Cargo manifest plus Cargo.lock — and every version change carries regenerated hashes or integrity values.
Python
>=3.14.1in .github/requirements/checkov.in (compiled checkov.txt moved 3.13.5 → 3.14.1) to resolve GHSA-h44m-gjqg-c33q, regenerating the hash block and refreshing source comments.lxml==6.1.0tolxml>=6.1.1and added the split-outlxml-html-clean>=0.4.5sanitization package.opencv-python==4.13.0.92(clears a 4→5 dependabot conflict).Rust
tracing-opentelemetryconstraint raised to"0.33", with the lockfile moving opentelemetry 0.26.0 → 0.32.0 and tracing-opentelemetry 0.27.0 → 0.33.0. This flattened the separateopentelemetry_sdk0.26.0 crate and an orphanedglob0.3.3 dependency out of the tree.npm
http-proxy-middleware ^2.0.10(lockfile 2.0.9 → 2.0.10) and the transitivejs-yaml@^3 ^3.15.0(lockfile 3.14.2 → 3.15.0).uuid@^11to^11.1.1(lockfile 11.1.0 → 11.1.1 under the@microsoft/agents-*scopes).Go
Related Issue
Fixes #667
Related to #664
Type of Change
Implementation Details
Version changes were introduced at the manifest level and the compiled lockfiles regenerated so that hashes and integrity values match. Transitive advisories were addressed with the least-invasive mechanism per ecosystem: npm
overridesblocks for indirect JavaScript packages, explicit pins in pip-compile.infiles re-locked into.txt, and Cargo manifest constraint bumps re-resolved intoCargo.lock. Two opportunistic cleanups accompanied the remediation — the unusedopencv-pythondependency was dropped from 506-ros2-connector, and the OpenTelemetry upgrade removed the now-redundantopentelemetry_sdkandglobcrates. Root requirements.in/requirements.txt were intentionally left unchanged; aiohttp stays at 3.13.5 there because of thecheckov~=3.3.6cap, so the pin was scoped to .github/requirements/checkov.Testing Performed
Validation Steps
pip-compilefor the affected.infiles (checkov, camera-dashboard, ros2-connector),npm installin docs/docusaurus and 516-chat-with-your-factory, andcargo check/cargo buildfor the 507-ai-inference and 511-rust-embedded-wasm-provider crates.Checklist
terraform fmton all Terraform codeterraform validateon all Terraform codeaz bicep formaton all Bicep codeaz bicep buildto validate all Bicep codeSecurity Review
Additional Notes
security-reviewedlabel gate does not apply.Screenshots (if applicable)