fix(deps): bump bot socketio floors for GHSA DoS advisories#2870
Open
r266-tech wants to merge 1 commit into
Open
fix(deps): bump bot socketio floors for GHSA DoS advisories#2870r266-tech wants to merge 1 commit into
r266-tech wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
botextra floor topython-socketio>=5.16.2python-engineio>=4.13.2floor for the same bot runtime pathuv.lockso frozen installs resolvepython-socketio==5.16.3andpython-engineio==4.13.3Why
The bot extra imports Socket.IO for the Mochat channel path. The previous lock resolved:
python-socketio==5.16.1, which is in range for GHSA-5w7q-77mv-v69fpython-engineio==4.13.1, which is in range for GHSA-cgwc-pv48-fhj5 and GHSA-m9gh-vj53-gvh9All three advisories are denial-of-service issues in the Socket.IO/Engine.IO stack, so this affects a network-facing optional runtime extra rather than a dev-only dependency.
Lockfile note
Running
uv lockalso synchronized existing main-branch manifest/lock drift:pyproject.tomlalready declaresfeedparser>=6.0.0,defusedxml>=0.7.1,litellm>=1.83.7,<1.89.3, andpython-multipart>=0.0.31, while parts ofuv.lockstill reflected older generated metadata. The only manifest changes in this PR are the two bot Socket.IO floors; the additional lock hunks are resolver output needed foruv lock --checkagainst the current manifest.Checks
uv lock --checkpyproject.toml/uv.lockto assert the bot extra floors and locked versions are above the patched floorsgit diff --checkI also attempted
uv sync --python /Users/admin/.local/bin/python3.12 --frozen --extra bot; dependency installation resolved and started but was stopped locally after hanging during the large bot-extra install. The lock consistency checks above passed.