Skip to content

Fix 15 Dependabot security vulnerabilities#108

Merged
Res260 merged 9 commits into
mainfrom
fix-dependabot-security
May 31, 2026
Merged

Fix 15 Dependabot security vulnerabilities#108
Res260 merged 9 commits into
mainfrom
fix-dependabot-security

Conversation

@Res260
Copy link
Copy Markdown
Collaborator

@Res260 Res260 commented May 31, 2026
edited
Loading

Summary

  • Bumps black 25.1.0 → 26.5.1 (fixes arbitrary file write via unsanitized cache filename — high)
  • Bumps requests 2.32.4 → 2.34.2 (fixes insecure temp file reuse — medium)
  • Bumps urllib3 2.5.0 → 2.7.0 (fixes 4 CVEs: header forwarding, decompression bombs, unbounded redirect chains — high)
  • Bumps idna 3.10 → 3.17 (fixes CVE-2024-3651 bypass — medium)
  • Bumps pillow 11.3.0 → 12.2.0 (fixes 5 CVEs: OOB write, integer overflows, GZIP bomb, heap buffer overflow — high/medium)
  • Bumps fonttools 4.59.0 → 4.63.0 (fixes arbitrary file write and XML injection — medium)
  • Bumps pygments 2.19.2 → 2.20.0 (fixes ReDoS via inefficient GUID regex — low)
  • Adds black>=26.3.1 and requests>=2.33.0 lower bounds to pyproject.toml so pip/uv/pipx installs also get safe versions (not just Poetry)
  • Expands CI matrix to test all three install methods (pip, poetry, uv)

Resolves Dependabot alerts #3, #4, #5, #6, #7, #8, #10, #11, #12, #13, #14, #15, #16, #17, #18.

Test plan

  • All three CI matrix jobs (pip, poetry, uv) pass
  • Confirm Dependabot alerts are dismissed after merge

🤖 Generated with Claude Code

Autre change: ajout d'une matrix pour tester uv, pip et poetry dans le CI au lieu de juste pip. Ça nous assure que peu importe la méthode d'installation, ctf fonctionne correctement

@Res260 @claude
Fix 15 Dependabot security vulnerabilities by updating dependencies
f43bae8 
Bumps black (25.1.0→26.5.1), requests (2.32.4→2.34.2), urllib3
(2.5.0→2.7.0), idna (3.10→3.17), pillow (11.3.0→12.2.0), fonttools
(4.59.0→4.63.0), and pygments (2.19.2→2.20.0) to versions that resolve
all open Dependabot alerts (#3#18).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260 Res260 force-pushed the fix-dependabot-security branch from 2835cf9 to f43bae8 Compare May 31, 2026 22:12
Res260 and others added 8 commits May 31, 2026 18:19
@Res260 @claude
Test installation with pip, poetry, and uv via matrix
62fb63e 
Adds a matrix strategy to the CI job so that the full deployment test
runs against all three supported install methods. The poetry path uses
poetry.lock (verifying pinned safe versions); pip and uv paths resolve
from pyproject.toml constraints (verifying the new lower bounds added
for black and requests).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260
fix poetry lock
36022a0 
Signed-off-by: Émilio Gonzalez <little.moon6016@fastmail.com>
@Res260 @claude
Use uv sync instead of uv pip install for uv matrix job
fd31cb2 
uv pip install in a bare shell doesn't reliably pick up the manually
created .venv, causing extras like pybadges/matplotlib to be missed.
uv sync --extra workflow always installs into .venv and is the
idiomatic way to install a project with extras using uv.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260 @claude
Fix uv matrix job: use uv pip install --system instead of uv sync
4d66241 
uv sync installs into an isolated .venv using uv's managed Python,
so the ctf script's shebang can point to a different Python than the
one with pybadges in its sys.path. Using --system installs into the
same Python environment as pip does, making ctf and all its extras
available without any PATH or venv management.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260 @claude
Fix uv matrix: create venv with python3 -m venv, then install with uv
0d16e36 
--system fails on ubuntu-24.04 due to PEP 668 (externally managed
Python). pip install works because it targets GitHub Actions' managed
Python environment, not the system Python. Creating the venv with
python3 -m venv uses that same Python; uv auto-detects .venv and
installs into it, so ctf and pybadges share the same interpreter.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260 @claude
Fix uv venv: use --copies so uv writes the correct shebang
6dcf2f2 
python3 -m venv creates symlinks by default: .venv/bin/python3 points
to /usr/bin/python3. When uv generates the ctf console script it
resolves that symlink and writes #!/usr/bin/python3 as the shebang.
Python then starts outside the venv directory, never finds pyvenv.cfg,
skips venv activation, and sys.path excludes .venv site-packages —
so pybadges is installed but invisible.

--copies puts a real binary at .venv/bin/python3.12. uv writes that
path as the shebang; Python finds pyvenv.cfg next to it and activates
the venv correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@Res260
fix?
0369ea8 
Signed-off-by: Émilio Gonzalez <little.moon6016@fastmail.com>
@Res260 @claude
Pin setuptools<81 so pybadges can import pkg_resources
9cb6e46 
Root cause of the uv CI failure: pybadges imports pkg_resources, which
setuptools >= 81 no longer ships. This was never a uv venv/shebang
issue — the earlier --copies/--system/uv sync attempts were red
herrings.

Why only uv failed:
- poetry.lock pinned setuptools 80.9.0 (< 81) -> poetry passed
- pip used the runner's preinstalled old setuptools -> passed by luck
- uv.lock pinned setuptools 82.0.1 (>= 81) -> pybadges import failed
  with "No module named 'pkg_resources'", surfaced as
  "Module pybadges was not found" in ctf stats --generate-badges

Pin setuptools<81 in the workflow extra (where pybadges lives, so the
constraint is self-documenting) and regenerate both lockfiles. Verified
end-to-end: uv run --locked + bare `ctf stats --generate-badges` now
generates badges successfully.

Also switch the poetry CI step to `poetry sync` for a clean environment.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Res260 Res260 merged commit f896d31 into main May 31, 2026
3 checks passed
@Res260 Res260 deleted the fix-dependabot-security branch May 31, 2026 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Res260