Skip to content

Refresh locked dependencies to clear Dependabot alerts#46

Merged
secondfry merged 1 commit into
masterfrom
claude/dependabot-alerts-i4ekh9
Jul 17, 2026
Merged

Refresh locked dependencies to clear Dependabot alerts#46
secondfry merged 1 commit into
masterfrom
claude/dependabot-alerts-i4ekh9

Conversation

@secondfry

Copy link
Copy Markdown
Owner

GitHub's Dependabot flagged vulnerabilities in the locked dependency
tree. Every runtime/dev dependency in the Pipfile is *-pinned, so the
Pipfile is the source of truth and the fix is a lock refresh rather than
any constraint change: pipenv update --dev re-resolves the whole tree
to the latest compatible releases, then pipenv requirements --hash --dev
regenerates requirements.txt so the two lockfiles stay in sync (the
long-standing convention for this repo).

Fifteen packages moved. The security-relevant ones are in the requests
networking stack:

  • urllib3 2.6.3 -> 2.7.0
  • requests 2.33.1 -> 2.34.2
  • idna 3.11 -> 3.18
  • certifi 2026.2.25 -> 2026.6.17

The rest are minor/patch bumps on dev tooling and transitive deps
(pyinstaller, pylint, pytest, debugpy, setuptools, packaging, tomlkit,
typing-extensions, charset-normalizer, platformdirs). No Pipfile edits —
the constraint surface is unchanged.

One tooling wrinkle worth recording: the newer pipenv (2026.6.2) evaluates
environment markers against the host when locking, so running the refresh
on Linux pruned the three sys_platform == 'win32' dev packages
(colorama, pefile, pywin32-ctypes) that previous locks carried. Those are
required by PyInstaller on the Windows CI runner, which installs straight
from the lockfile via pipenv install --dev; dropping them would break
the Windows installer build. They are unchanged upstream (latest versions
equal the pinned ones), so I restored the exact entries to keep both
lockfiles cross-platform complete.

All 79 pytest cases pass on the upgraded tree.

Co-Authored-By: Claude Opus 4.8 [email protected]
Claude-Session: https://claude.ai/code/session_01D1ehd51ut8ciZreFbdjDZH

GitHub's Dependabot flagged vulnerabilities in the locked dependency
tree. Every runtime/dev dependency in the Pipfile is `*`-pinned, so the
Pipfile is the source of truth and the fix is a lock refresh rather than
any constraint change: `pipenv update --dev` re-resolves the whole tree
to the latest compatible releases, then `pipenv requirements --hash --dev`
regenerates requirements.txt so the two lockfiles stay in sync (the
long-standing convention for this repo).

Fifteen packages moved. The security-relevant ones are in the requests
networking stack:

- urllib3   2.6.3   -> 2.7.0
- requests  2.33.1  -> 2.34.2
- idna      3.11    -> 3.18
- certifi   2026.2.25 -> 2026.6.17

The rest are minor/patch bumps on dev tooling and transitive deps
(pyinstaller, pylint, pytest, debugpy, setuptools, packaging, tomlkit,
typing-extensions, charset-normalizer, platformdirs). No Pipfile edits —
the constraint surface is unchanged.

One tooling wrinkle worth recording: the newer pipenv (2026.6.2) evaluates
environment markers against the host when locking, so running the refresh
on Linux pruned the three `sys_platform == 'win32'` dev packages
(colorama, pefile, pywin32-ctypes) that previous locks carried. Those are
required by PyInstaller on the Windows CI runner, which installs straight
from the lockfile via `pipenv install --dev`; dropping them would break
the Windows installer build. They are unchanged upstream (latest versions
equal the pinned ones), so I restored the exact entries to keep both
lockfiles cross-platform complete.

All 79 pytest cases pass on the upgraded tree.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
Claude-Session: https://claude.ai/code/session_01D1ehd51ut8ciZreFbdjDZH
Copilot AI review requested due to automatic review settings July 17, 2026 18:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@socket-security

Copy link
Copy Markdown

@secondfry
secondfry merged commit 82da569 into master Jul 17, 2026
7 checks passed
@secondfry
secondfry deleted the claude/dependabot-alerts-i4ekh9 branch July 17, 2026 18:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants