[AAASM-4169] 📝 (deps): Document dev-only accepted-risk for nltk Dependabot #27#218
Merged
Merged
Conversation
nltk <=3.9.4 (Dependabot #27, HIGH) enters uv.lock only transitively via llama-index-core, a dev/test-only dependency. It is never in runtime [project].dependencies nor the published wheel, is never imported by agent_assembly/, and the vulnerable nltk.data.load path is never invoked. No upstream fix exists (3.9.4 is the latest release; first_patched_version: none), so no lock upgrade removes it. Document the accepted-risk near the llama-index-core pin; recommend Dependabot #27 dismissal as dev/test-only. refs AAASM-4169
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Contributor
Author
Claude Code review — AAASM-4169Verdict: approve-ready (comment-only; Pioneer sign-off yours).
— Claude Code review |
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Description
Resolves the outcome for Dependabot alert #27 (HIGH) —
nltk <=3.9.4URL-encoded path traversal innltk.data.load()(first_patched_version: none).Path chosen: documented accepted-risk (no lock/runtime change).
I first attempted the real fix:
uv lock --upgrade-package llama-index-core(0.14.22 → 0.14.23) anduv lock --upgrade-package nltk. Neither drops the vulnerable nltk — 3.9.4 is the latest release on PyPI and no patched version exists, and the newer llama-index-core still pulls the same nltk edge. The llama-index bump alone fixes nothing, so I reverted the lock churn to keep this change minimal.This PR instead documents the accepted-risk with an inline
# AAASM-4169:comment next to the existingllama-index-corepin inpyproject.toml, mirroring the establishedAAASM-*: dev/test-onlycomment pattern.Why this is not runtime-exploitable
uv.lockonly transitively viallama-index-core, which is declared in[dependency-groups].test— not in runtime[project].dependencies(pydantic/httpx/typing-extensions/grpcio/protobuf only).agent_assembly/(grep import nltk→ zero). Present solely forimportorskip-guarded LlamaIndex integration tests in CI.nltk.data.loadcode path is never invoked by the SDK or its tests.Type of Change
Breaking Changes
No change to runtime
[project].dependencies; no change touv.lock.Related Issues
Testing
pyproject.toml)Validation on this branch:
uv sync— clean;uv.lockunchanged (uv-lock pre-commit hook passed)..venv/bin/python -m pytest test/— 750 passed, 17 skipped, 1 rerun (skips pre-existing: native_corenot built, optional frameworks absent)..venv/bin/mypy agent_assembly— 4 pre-existing baseline errors only (agent_assembly._coreimport-not-found ×3, grpc missing-stubs ×1); pre-commit mypy hook runs with--ignore-missing-importsand passes.Recommended follow-up (engineer's call — not done in this PR)
Dismiss Dependabot alert #27 as dev/test-only. I did not auto-dismiss it. To dismiss:
gh api -X PATCH repos/ai-agent-assembly/python-sdk/dependabot/alerts/27 \ -f state=dismissed -f dismissed_reason=tolerable_risk \ -f dismissed_comment='Dev/test-only transitive via llama-index-core; not in runtime [project].dependencies or the published wheel; nltk.data.load never invoked by the SDK; no upstream patch (3.9.4 is latest, first_patched_version: none). Tracked in AAASM-4169.'Checklist
🤖 Generated with Claude Code