fix: remediate CVEs in app image dependencies#1896
Merged
Conversation
Bump vulnerable transitive Python deps via uv constraint-dependencies: - aiohttp 3.13.3 -> 3.13.5 (CVE-2026-22815, -34515, -34516, -34525) - cryptography 46.0.5 -> 48.0.0 (CVE-2026-39892) - mako 1.3.10 -> 1.3.12 (CVE-2026-44307, -41205) - python-dotenv 1.1.1 -> 1.2.2 (CVE-2026-28684) - requests 2.32.5 -> 2.34.2 (CVE-2026-25645) - sqlparse 0.5.3 -> 0.5.5 (GHSA-27jp-wm6q-gp25) Install uv from upstream ghcr.io/astral-sh/uv:0.11.15 (multi-stage COPY) instead of the Wolfi apk package so the uv binary (and its Rust deps like rkyv) is pinned and updatable independent of the Wolfi release cadence. Override brace-expansion to 5.0.6 in the sandbox-runtime npm tree (CVE-2026-45149), mirroring the existing lodash-es override. Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
EItanya
requested review from
iplay88keys,
jmhbh,
peterj,
supreme-gg-gg and
yuval-k
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate CVEs reported in the app image by updating vulnerable transitive dependencies in the Python environment, pinning uv installation to a controllable upstream binary, and adjusting the sandbox-runtime npm dependency tree to pull in a patched brace-expansion.
Changes:
- Updated
uvconstraint-dependencies and lockfile resolutions to newer (patched) versions of several Python packages (e.g., aiohttp, cryptography, mako, requests, sqlparse). - Switched
python/Dockerfileto installuvvia a multi-stage copy fromghcr.io/astral-sh/uv, instead of installinguvvia Wolfiapk. - Added an explicit install of
brace-expansion@5.0.6during sandbox-runtime build to address an npm CVE.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| python/uv.lock | Regenerated lockfile reflecting upgraded Python package versions and updated constraint list. |
| python/pyproject.toml | Added/updated tool.uv.constraint-dependencies to force minimum versions for vulnerable transitive deps. |
| python/Dockerfile | Copies uv/uvx from an upstream uv image and installs brace-expansion@5.0.6 in the sandbox-runtime build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
Resolves Next.js advisories flagged by trivy on the ui image: - CVE-2026-44573, -44574, -44575 (Middleware/Proxy bypass) - CVE-2026-44578 (SSRF) - CVE-2026-44579 (DoS via connection) - CVE-2026-45109 (Middleware/Proxy bypass in App Router) Also picks up the msw mockServiceWorker.js refresh that npm install regenerated to match the new msw transitive version. Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
|
Warning Testing pausedMonthly snapshot limit reached. Update your plan to get more snapshots and resume testing. |
jmhbh
approved these changes
May 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates the actionable CVEs from a recent trivy + grype scan of the
appimage built frommain.uvconstraint-dependencies inpython/pyproject.toml:uvfrom upstreamghcr.io/astral-sh/uv:0.11.15via multi-stage COPY inpython/Dockerfileinstead of the Wolfiapkpackage, so the uv binary (and its Rust deps likerkyv) is pinned and bumpable independent of the Wolfi release cadence.brace-expansionto 5.0.6 in the sandbox-runtime npm tree (CVE-2026-45149), mirroring the existing lodash-es override.CVEs left unaddressed are not actionable here: CPython CVEs marked
n/a(no upstream fix yet), pip CVE-2026-3219 (not-fixed), Alpinebusybox/gitfindings inskills-init(no upstream patch).Test plan
uv lock --checkpassesdocker build -f python/Dockerfile ./pythonsucceedsuv --versionreports 0.11.15/opt/sandbox-runtime/node_modules/brace-expansion/package.jsonreports 5.0.6appimage built from this branch to confirm CVE counts dropPR opened by Claude on behalf of @EItanya.