Resolve cryptography vulnerability alert#115
Conversation
Update the lockfile to cryptography 49.0.0 so the Dependabot alert for GHSA-537c-gmf6-5ccf no longer contains a vulnerable cryptography wheel entry. The alert comes through the release/dev path via twine and keyring rather than the collector runtime. cryptography's patched releases no longer cover the exact Python 3.9.0 floor, so narrow the package metadata and README from >=3.9 to >=3.9.1. This preserves the existing Python 3.9 CI line while allowing uv to resolve one patched cryptography version for the full supported range. Validated with uv lock --check, uv sync --all-extras, a Linux Python 3.9.6 dry-run sync, and uv run pytest tests. Amp-Thread-ID: https://ampcode.com/threads/T-019f10cc-55c9-70ee-9345-5dc089037b98 Co-authored-by: Amp <amp@ampcode.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 883268990e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| description = "Buildkite Test Engine collector" | ||
| readme = "README.md" | ||
| requires-python = ">=3.9" | ||
| requires-python = ">=3.9.1" |
There was a problem hiding this comment.
Restore package-level support for Python 3.9.0
When installing the collector without the dev extra on exact CPython 3.9.0, this package-wide Requires-Python now makes pip/uv reject the release even though the runtime dependency list (requests, pytest, filelock) has not gained any 3.9.1-only requirement; the vulnerable cryptography path is only reached via the dev extra (twine/keyring/SecretStorage). Please keep the project metadata at >=3.9 and constrain or remove the dev-only dependency path instead, otherwise users on the previously supported 3.9.0 runtime are unnecessarily blocked.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
🤖 Good catch — fixed in ffa8c4a. I restored package/runtime support to >=3.9 and instead gated the dev-only twine dependency to python_full_version >= '3.9.1', which removes the vulnerable twine → keyring → SecretStorage → cryptography path only for exact Python 3.9.0. The lockfile still contains only patched cryptography 49.0.0, and I validated that the Python 3.9.0 Linux dependency tree retains runtime deps without twine/cryptography.
Address PR review feedback by restoring the package metadata and README to the original >=3.9 runtime support range. The vulnerable dependency path is dev and release tooling only, so avoid blocking runtime users on exact Python 3.9.0. Constrain the dev extra's twine dependency to Python >=3.9.1 instead. That removes the twine -> keyring -> SecretStorage -> cryptography path from exact 3.9.0, while keeping twine available for the existing 3.9 CI line and newer supported versions. The lockfile still contains only cryptography 49.0.0, which is above the patched floor for GHSA-537c-gmf6-5ccf. Validated with uv lock --check, uv sync --all-extras --locked, a Python 3.9.0 Linux dependency tree check, a Python 3.9.1 Linux dependency tree check, and uv run pytest tests. Amp-Thread-ID: https://ampcode.com/threads/T-019f10cc-55c9-70ee-9345-5dc089037b98 Co-authored-by: Amp <amp@ampcode.com>
|
@buildsworth-bk review |
|
@codex review |
|
Codex Review: Didn't find any major issues. Delightful! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
Update the lockfile so the Dependabot alert for GHSA-537c-gmf6-5ccf no longer contains a vulnerable
cryptographywheel entry. The vulnerable path is release/dev tooling (twine/keyring) rather than collector runtime code.Changes
uv.lockfromcryptography 46.0.7to49.0.0, above the advisory's patched floor of48.0.1.>=3.9.twinedependency topython_full_version >= '3.9.1', so exact Python 3.9.0 runtime installs remain supported without resolving the vulnerable dev-only dependency path.Verification
uv lock --checkuv sync --all-extras --lockeduv tree --all-groups --python-version 3.9.0 --python-platform linux(runtime deps present; notwine/cryptographypath)uv tree --all-groups --python-version 3.9.1 --python-platform linux(twinepresent withcryptography 49.0.0)uv run pytest tests(103 passed, 5 skipped)Deployment
Low risk. This only changes dev dependency resolution and the lockfile; Python 3.9 runtime support remains unchanged.
Rollback
Revert this PR to restore the previous lockfile and dev dependency metadata. That would reopen this Dependabot alert until another mitigation is applied.
Related