Skip to content

fix(security): patch CVE-2023-6022 in prefect, add missing urllib3/python-dotenv/pip-audit#68

Merged
labgadget015-dotcom merged 1 commit into
mainfrom
fix/security-dependency-vulnerabilities
Feb 23, 2026
Merged

fix(security): patch CVE-2023-6022 in prefect, add missing urllib3/python-dotenv/pip-audit#68
labgadget015-dotcom merged 1 commit into
mainfrom
fix/security-dependency-vulnerabilities

Conversation

@labgadget015-dotcom

Copy link
Copy Markdown
Owner

Security Fixes

Addresses findings from issue #66.

Changes

Package Change Reason
prefect Floor raised >=2.13.0>=2.16.5 CVE-2023-6022 (CVSS 8.8): CSRF → RCE on Prefect API server. Also fixes CVE-2024-8183 (CORS misconfiguration).
urllib3 Added >=2.0.7 (was implicit/uncontrolled) CVE-2023-45803 + CVE-2023-43804: POST body not stripped on redirect → GitHub token leakage risk.
python-dotenv Added >=1.0.0 (was missing entirely) .env.example uses load_dotenv() but package was absent — silent auth failure risk.
pip-audit Added >=2.7.0 (new dev dependency) Scans installed packages for CVEs. bandit only scans source code; pip-audit closes the dependency CVE gap.

Risk Assessment

  • All changes are additive or version floor increases — no breaking changes
  • prefect 2.16.5 is fully backward compatible with 2.13.x API
  • Adding pip-audit to CI will catch future dependency CVEs automatically

Closes #66

@labgadget015-dotcom labgadget015-dotcom merged commit fb792b1 into main Feb 23, 2026
3 of 21 checks passed
@labgadget015-dotcom labgadget015-dotcom deleted the fix/security-dependency-vulnerabilities branch February 23, 2026 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🔐 Security: CVE-2023-6022 (CRITICAL) in prefect + supply chain risk from floor-pinned deps

1 participant