Skip to content

fix: upgrade dependencies to resolve Dependabot security alerts#111

Open
gkorland wants to merge 1 commit intostagingfrom
fix/dependabot-security-alerts
Open

fix: upgrade dependencies to resolve Dependabot security alerts#111
gkorland wants to merge 1 commit intostagingfrom
fix/dependabot-security-alerts

Conversation

@gkorland
Copy link
Contributor

@gkorland gkorland commented Feb 22, 2026

Summary

Upgrades vulnerable dependencies to resolve open Dependabot security alerts.

Updated packages

Package Before After Severity CVE/Issue
flask 3.1.2 3.1.3 Low Session Vary: Cookie header fix
werkzeug 3.1.5 3.1.6 Medium safe_join() Windows device names
pypdf 5.9.0 6.7.2 Medium Multiple DoS/infinite loop fixes
requests 2.32.3 2.32.5 Medium .netrc credential leak
graphrag-sdk 0.8.1 0.8.2 Minor update

Notes

  • pypdf and requests required [tool.uv] override-dependencies because upstream packages pin them:
    • graphrag-sdk pins pypdf<6.0.0
    • multilspy pins requests==2.32.3
  • The pypdf 5→6 major bump is safe — graphrag-sdk only uses PdfReader.extract_text(), which is unchanged.
  • urllib3 (2.6.3) and filelock (3.20.3) were already at patched versions.

Resolves Dependabot alerts: #85, #87, #89, #91, #92, #93, #94, #95, #96, #97, #98, #99, #100, #101, #102, #103, #104, #105, #106, #107, #108, #109, #110, #111, #112, #113

@gkorland
fix: upgrade dependencies to resolve Dependabot security alerts
dcb3d9e 
- flask 3.1.2 → 3.1.3 (session Vary: Cookie header fix)
- werkzeug 3.1.5 → 3.1.6 (safe_join Windows device names fix)
- pypdf 5.9.0 → 6.7.2 (multiple DoS/infinite loop fixes)
- requests 2.32.3 → 2.32.5 (.netrc credential leak fix)
- graphrag-sdk 0.8.1 → 0.8.2

Added uv override-dependencies for requests and pypdf to bypass
upstream constraints in multilspy (==2.32.3) and graphrag-sdk (<6.0.0).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@vercel
Copy link

vercel bot commented Feb 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
code-graph-backend Ready Ready Preview, Comment Feb 22, 2026 3:09pm

Request Review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 22, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/dependabot-security-alerts

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gkorland