Skip to content

Security: fix vulnerable dependencies and harden project configuration#10

Draft
ulf1 with Copilot wants to merge 1 commit into
masterfrom
copilot/run-security-checks
Draft

Security: fix vulnerable dependencies and harden project configuration#10
ulf1 with Copilot wants to merge 1 commit into
masterfrom
copilot/run-security-checks

Conversation

Copilot AI commented Apr 10, 2026

Copy link
Copy Markdown

Summary

This PR fixes all known security issues found during a full audit of the repository.


Vulnerabilities fixed

Package Issue Old minimum New minimum
setuptools Path traversal (arbitrary file write) >=40.0.0 >=78.1.1
setuptools Command injection via package URL >=40.0.0 >=78.1.1
setuptools ReDoS (Regular Expression Denial of Service) >=40.0.0 >=78.1.1
numpy NULL pointer dereference >=1.14.5 >=1.19.0
scikit-learn Deserialization of untrusted data >=0.20.0 >=0.24.0
nose Unmaintained (last release 2016); no security patches >=1.3.7 removed → replaced with pytest>=7.0.0

Other security / hygiene improvements

  • setup.py — fixed http://https:// project URL (prevents man-in-the-middle URL redirection).
  • setup.py — added encoding='utf-8' to the open() call to avoid cross-platform locale-dependent decoding behaviour.
  • setup.py — removed nose from install_requires (it is a test tool, not a runtime dependency; shipping it to end users added unnecessary attack surface).
  • python_requires — bumped from >=3.6 (EOL December 2021) to >=3.8.
  • .travis.yml — updated test Python version from 3.6 to 3.11; switched test runner to pytest.
  • .github/workflows/ci.yml — added a GitHub Actions CI workflow testing Python 3.8–3.12 with permissions: contents: read (least-privilege GITHUB_TOKEN).
  • SECURITY.md — added a security policy with a private vulnerability reporting channel so researchers can disclose issues responsibly.

Testing

All 13 existing tests pass with the updated dependencies:

13 passed in 0.81s

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants