Skip to content

fix(security): address all Dependabot vulnerability alerts#617

Merged
nicoloboschi merged 1 commit intomainfrom
fix/dependabot-security-updates
Mar 19, 2026
Merged

fix(security): address all Dependabot vulnerability alerts#617
nicoloboschi merged 1 commit intomainfrom
fix/dependabot-security-updates

Conversation

@nicoloboschi
Copy link
Collaborator

@nicoloboschi nicoloboschi commented Mar 19, 2026

Summary

  • Python: Updated authlib (1.6.9), pyasn1 (0.6.3), pyjwt (2.12.1), orjson (3.11.7), tornado (6.5.5) across root, integration-tests, and crewai lock files
  • npm: Updated next to ^16.1.7 (resolves to 16.2.0); added overrides for undici >=7.24.0, fast-xml-parser >=5.5.6, flatted >=3.4.0, svgo >=3.3.3, dompurify >=3.3.2
  • Closes all 29 open Dependabot alerts; npm audit reports 0 vulnerabilities

Alerts addressed

Package Old New Severity Issue
authlib 1.6.6 1.6.9 critical/high JWS header injection, OIDC hash binding bypass, Bleichenbacher padding oracle
pyasn1 0.6.2 0.6.3 high Unbounded recursion DoS
pyjwt 2.10.1 2.12.1 high Accepts unknown crit header extensions
orjson 3.11.4 3.11.7 high Unbounded recursion DoS on deeply nested JSON
tornado 6.5.2 6.5.5 high/medium Multipart DoS, incomplete cookie attribute validation
next 16.1.6 16.2.0 medium/low HTTP smuggling, CSRF bypass (null origin), cache/buffer DoS
undici 7.18.2 7.24.0 high/medium WebSocket overflow/crash, HTTP smuggling, CRLF injection, DoS
fast-xml-parser 4.5.4 5.5.6 high Numeric entity expansion bypass (incomplete CVE-2026-26278 fix)
flatted 3.3.3 3.4.0 high Unbounded recursion DoS in parse()
svgo 3.3.2 3.3.3 high DOCTYPE entity expansion DoS (Billion Laughs)
dompurify 3.3.1 3.3.2 medium Cross-site scripting vulnerability

Test plan

  • CI passes (lint + tests)
  • npm audit reports 0 vulnerabilities
  • Control plane builds successfully with Next.js 16.2.0

@nicoloboschi
fix(security): address all Dependabot vulnerability alerts
57aca13 
Python (uv.lock, pyproject.toml):
- authlib 1.6.6 → 1.6.9 (JWS header injection, OIDC hash binding, Bleichenbacher padding oracle)
- pyasn1 0.6.2 → 0.6.3 (unbounded recursion DoS)
- pyjwt 2.10.1 → 2.12.1 (unknown crit header extensions - also in integration-tests and crewai)
- orjson 3.11.4 → 3.11.7 (deeply nested JSON recursion DoS)
- tornado 6.5.2 → 6.5.5 (multipart DoS, incomplete cookie validation)

npm (package.json, package-lock.json):
- next ^16.1.6 → ^16.1.7 (HTTP smuggling, CSRF bypass, cache DoS, null origin bypass)
- fast-xml-parser override updated to >=5.5.6 (numeric entity expansion bypass)
- undici override added >=7.24.0 (WebSocket overflow, smuggling, CRLF injection, DoS)
- flatted override added >=3.4.0 (unbounded recursion DoS)
- svgo override added >=3.3.3 (DOCTYPE entity expansion DoS)
- dompurify override added >=3.3.2 (XSS vulnerability)
@nicoloboschi nicoloboschi merged commit 4c4b356 into main Mar 19, 2026
39 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicoloboschi