Skip to content

fix(deps): consolidate remediation grype/cargo-audit vulnerabilities across npm, python, rust, and go#668

Merged
katriendg merged 1 commit into
mainfrom
deps/667-remediate
Jul 9, 2026
Merged

fix(deps): consolidate remediation grype/cargo-audit vulnerabilities across npm, python, rust, and go#668
katriendg merged 1 commit into
mainfrom
deps/667-remediate

Conversation

@katriendg

Copy link
Copy Markdown
Collaborator

Description

This PR remediates the dependency advisories surfaced by grype/syft and cargo-audit for the tracking issue, touching only dependency manifests and their compiled lockfiles across four ecosystems. No application logic changed. Each ecosystem uses its idiomatic pinning mechanism — npm overrides, pip-compile .in/.txt pairs, and Cargo manifest plus Cargo.lock — and every version change carries regenerated hashes or integrity values.

Python

  • Pinned aiohttp to >=3.14.1 in .github/requirements/checkov.in (compiled checkov.txt moved 3.13.5 → 3.14.1) to resolve GHSA-h44m-gjqg-c33q, regenerating the hash block and refreshing source comments.
  • In the 510-onvif-connector camera-dashboard, relaxed lxml==6.1.0 to lxml>=6.1.1 and added the split-out lxml-html-clean>=0.4.5 sanitization package.
  • In the 506-ros2-connector base requirements, bumped numpy 2.5.0 → 2.5.1 and removed the unused opencv-python==4.13.0.92 (clears a 4→5 dependabot conflict).

Rust

  • Upgraded the OpenTelemetry stack in 507-ai-inference ai-edge-inference: tracing-opentelemetry constraint raised to "0.33", with the lockfile moving opentelemetry 0.26.0 → 0.32.0 and tracing-opentelemetry 0.27.0 → 0.33.0. This flattened the separate opentelemetry_sdk 0.26.0 crate and an orphaned glob 0.3.3 dependency out of the tree.
  • Bumped crossbeam-epoch 0.9.18 → 0.9.20 across every Rust lockfile in the tree — the three ai-edge-inference crate lockfiles and the 511-rust-embedded-wasm-provider map operator — to clear RUSTSEC-2026-0204.

npm

  • Added overrides in docs/docusaurus for http-proxy-middleware ^2.0.10 (lockfile 2.0.9 → 2.0.10) and the transitive js-yaml@^3 ^3.15.0 (lockfile 3.14.2 → 3.15.0).
  • Added an overrides entry in 516-chat-with-your-factory pinning the transitive uuid@^11 to ^11.1.1 (lockfile 11.1.0 → 11.1.1 under the @microsoft/agents-* scopes).

Go

  • No file changes. GO-2026-5932 was verified unreachable, so no suppression was required.

Related Issue

Fixes #667
Related to #664

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Blueprint modification or addition
  • Component modification or addition
  • Documentation update
  • CI/CD pipeline change
  • Other (please describe): Security dependency remediation (grype/syft/cargo-audit) across npm, Python, and Rust manifests and lockfiles

Implementation Details

Version changes were introduced at the manifest level and the compiled lockfiles regenerated so that hashes and integrity values match. Transitive advisories were addressed with the least-invasive mechanism per ecosystem: npm overrides blocks for indirect JavaScript packages, explicit pins in pip-compile .in files re-locked into .txt, and Cargo manifest constraint bumps re-resolved into Cargo.lock. Two opportunistic cleanups accompanied the remediation — the unused opencv-python dependency was dropped from 506-ros2-connector, and the OpenTelemetry upgrade removed the now-redundant opentelemetry_sdk and glob crates. Root requirements.in/requirements.txt were intentionally left unchanged; aiohttp stays at 3.13.5 there because of the checkov~=3.3.6 cap, so the pin was scoped to .github/requirements/checkov.

Testing Performed

  • Terraform plan/apply
  • Blueprint deployment test
  • Unit tests
  • Integration tests
  • Bug fix includes regression test (see Test Policy)
  • Manual validation
  • Other:

Validation Steps

  1. Confirm the lockfiles resolve cleanly: pip-compile for the affected .in files (checkov, camera-dashboard, ros2-connector), npm install in docs/docusaurus and 516-chat-with-your-factory, and cargo check/cargo build for the 507-ai-inference and 511-rust-embedded-wasm-provider crates.
  2. Re-run the vulnerability scanner (grype/cargo-audit) and confirm GHSA-h44m-gjqg-c33q and RUSTSEC-2026-0204 no longer report.
  3. Verify no unrelated manifest or root requirements files changed.

Checklist

  • I have updated the documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have run terraform fmt on all Terraform code
  • I have run terraform validate on all Terraform code
  • I have run az bicep format on all Bicep code
  • I have run az bicep build to validate all Bicep code
  • I have checked for any sensitive data/tokens that should not be committed
  • Lint checks pass (run applicable linters for changed file types)

Security Review

  • No credentials, secrets, or tokens are hardcoded or logged
  • RBAC and identity changes follow least-privilege principles
  • No new network exposure or public endpoints introduced without justification
  • Dependency additions or updates have been reviewed for known vulnerabilities
  • Container image changes use pinned digests or SHA references

Additional Notes

  • This PR does not touch the security-sensitive paths listed above (SECURITY.md, src/000-cloud/010-security-identity/, deploy/), so the security-reviewed label gate does not apply.
  • The RUSTSEC-2026-0204 and GO-2026-5932 advisory identifiers are sourced from the commit message rather than the diff; the diff itself shows the corresponding version bumps and the absence of Go file changes.
  • Terraform and Bicep checklist items are not applicable — no .tf or .bicep files were modified.

Screenshots (if applicable)

Remediate grype/syft-reported advisories across ecosystems.

npm:
- docs/docusaurus: override http-proxy-middleware ^2.0.10, js-yaml@^3 ^3.15.0
- 516 chat-with-your-factory: override uuid@^11 ^11.1.1

python:
- .github/requirements/checkov: aiohttp>=3.14.1
- 510 camera-dashboard: lxml-html-clean>=0.4.5, relax lxml>=6.1.1, aiohttp 3.14.1
- 506 ros2-connector: numpy 2.5.1, remove unused opencv-python (resolves 4->5 dependabot)

rust:
- 507 ai-inference: crossbeam-epoch 0.9.20 (clears RUSTSEC-2026-0204),
  tracing-opentelemetry 0.33 / opentelemetry_sdk 0.32
- 511 wasm map operator: crossbeam-epoch 0.9.20

go:
- GO-2026-5932 verified unreachable; no suppression required

Root requirements aiohttp left at 3.13.5 due to checkov~=3.3.6 cap (see ID-01).
@katriendg katriendg requested a review from a team July 9, 2026 13:43
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

📚 Documentation Health Report

Generated on: 2026-07-09 13:47:29 UTC

📈 Documentation Statistics

Category File Count
Main Documentation 222
Infrastructure Components 228
Blueprints 37
GitHub Resources 26
AI Assistant Guides (Copilot) 17
Total 530

🏗️ Three-Tree Architecture Status

  • ✅ Bicep Documentation Tree: Auto-generated navigation
  • ✅ Terraform Documentation Tree: Auto-generated navigation
  • ✅ README Documentation Tree: Manual README organization

🔍 Quality Metrics

  • Frontmatter Validation:
    success
  • Link Validation: success

This report is automatically generated by the Documentation Automation workflow.

@codecov-commenter

codecov-commenter commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 31.79%. Comparing base (2011ccc) to head (910709b).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #668   +/-   ##
=======================================
  Coverage   31.79%   31.79%           
=======================================
  Files          40       40           
  Lines        6017     6017           
=======================================
  Hits         1913     1913           
  Misses       4104     4104           
Flag Coverage Δ
rust 31.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@katriendg katriendg merged commit 4766fcd into main Jul 9, 2026
63 checks passed
@katriendg katriendg deleted the deps/667-remediate branch July 9, 2026 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

security(deps): consolidate remediation grype/cargo-audit vulnerabilities across npm, python, rust, and go

3 participants