Skip to content

[SKY-8441] Remove python-ecdsa from integration lock files#5190

Merged
AronPerez merged 1 commit intomainfrom
chore/NO-TICKET/remediate-CVE-2
Mar 22, 2026
Merged

[SKY-8441] Remove python-ecdsa from integration lock files#5190
AronPerez merged 1 commit intomainfrom
chore/NO-TICKET/remediate-CVE-2

Conversation

@AronPerez
Copy link
Contributor

@AronPerez AronPerez commented Mar 22, 2026

Summary

Context

PR #5184 replaced python-jose with PyJWT in the main project, but the integration lock files still resolved skyvern==1.0.24 from PyPI (which still declares python-jose). This change points the integrations at the local source so the lock files pick up the fix.

Test Plan

  • grep -r "ecdsa" integrations/ returns no results
  • grep -r "python-jose" integrations/ returns no results
  • uv lock resolves successfully for both integrations

@AronPerez
[SKY-8441] Remove python-ecdsa from integration lock files (Minerva CVE)
d296bfe 
Add [tool.uv.sources] to resolve skyvern from local workspace instead of
PyPI, so the lock files pick up the python-jose → PyJWT migration from
PR #5184. This eliminates python-ecdsa (Minerva timing attack on P-256)
from the resolved dependency tree.

Resolves GitHub security alerts #242 and #211.
Copilot AI review requested due to automatic review settings March 22, 2026 01:48
AronPerez
AronPerez commented Mar 22, 2026
View reviewed changes
integrations/llama_index/pyproject.toml
Comment on lines +47 to 49

[tool.hatch.build.targets.sdist]
include = ["skyvern_llamaindex"]
Copy link
Contributor Author

@AronPerez AronPerez Mar 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolve skyvern from the local workspace so the lock file picks up the python-jose → PyJWT migration instead of the stale PyPI metadata

Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the LangChain and LlamaIndex integration environments to resolve skyvern from the local workspace (instead of PyPI) so their lockfiles pick up the previously-remediated JWT dependency change and drop the python-joseecdsa chain.

Changes:

  • Add [tool.uv.sources] entries so integrations resolve skyvern from ../.. (repo root).
  • Regenerate uv.lock files to remove python-jose / ecdsa (and related packages like rsa) from the dependency graph.
  • Update locked skyvern source in the integration lockfiles to a local directory reference.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
integrations/llama_index/pyproject.toml Points skyvern dependency resolution at the local repo via [tool.uv.sources].
integrations/llama_index/uv.lock Re-locks dependencies using local skyvern, removing python-jose/ecdsa and updating the resolved tree.
integrations/langchain/pyproject.toml Points skyvern dependency resolution at the local repo via [tool.uv.sources].
integrations/langchain/uv.lock Re-locks dependencies using local skyvern, removing python-jose/ecdsa and updating the resolved tree.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@AronPerez AronPerez merged commit d77c6a1 into main Mar 22, 2026
16 checks passed
@AronPerez AronPerez deleted the chore/NO-TICKET/remediate-CVE-2 branch March 22, 2026 01:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wintonzheng wintonzheng wintonzheng approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AronPerez @wintonzheng