From 83afaf315787185b0238eda2d7793d57b5913a2f Mon Sep 17 00:00:00 2001 From: "Ian Hellen (DevBox)" Date: Thu, 4 Jun 2026 13:41:07 -0700 Subject: [PATCH 1/2] Bump dependency versions to fix security vulnerabilities Address 13 packages flagged by Component Governance with known CVEs: Direct dependencies: - azure-core >=1.38.0 (CVE-2026-21226 - RCE via deserialization) - cryptography >=46.0.7 (CVE-2026-26007, CVE-2026-34073, CVE-2026-39892) - jinja2 >=3.1.6 (CVE-2024-56326, CVE-2024-56201, CVE-2025-27516) - lxml >=6.1.1 (CVE-2026-41066 XXE, CVE-2025-7424, CVE-2025-11731) - pyjwt >=2.13.0 (CVE-2026-32597 + 5 others) - urllib3 >=2.7.0 (CVE-2025-50181/50182, CVE-2025-66418/66471) Transitive dependencies (security floor pins): - aiohttp >=3.14.0 (CVE-2026-34993 RCE, CVE-2026-47265) - h11 >=0.16.0 (CVE-2025-43859 request smuggling) - idna >=3.15 (CVE-2026-45409 DoS) - jaraco.context >=6.1.0 (CVE-2026-23949 Zip Slip) - Pillow >=12.2.0 (CVE-2026-25990 + 4 others) - tornado >=6.5.5 (CVE-2024-52804 + 3 others) - filelock >=3.20.3 (CVE-2025-68146 TOCTOU race) Supersedes dependabot PRs #905 (cryptography) and #906 (jinja2). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- conda/conda-reqs-dev.txt | 4 ++-- conda/conda-reqs.txt | 19 ++++++++++++------- docs/requirements.txt | 6 +++--- requirements-all.txt | 19 ++++++++++++------- requirements.txt | 19 ++++++++++++------- 5 files changed, 41 insertions(+), 26 deletions(-) diff --git a/conda/conda-reqs-dev.txt b/conda/conda-reqs-dev.txt index d80b398b..ccc764bd 100644 --- a/conda/conda-reqs-dev.txt +++ b/conda/conda-reqs-dev.txt @@ -1,9 +1,9 @@ -aiohttp>=3.0.0 +aiohttp>=3.14.0 bandit>=1.7.0 beautifulsoup4 black>=20.8b1 coverage>=5.5 -filelock>=3.0.0 +filelock>=3.20.3 markdown>=3.3.4 mypy>=0.821 nbconvert>=6.1.0 diff --git a/conda/conda-reqs.txt b/conda/conda-reqs.txt index e165c433..e5ffb000 100644 --- a/conda/conda-reqs.txt +++ b/conda/conda-reqs.txt @@ -1,6 +1,7 @@ +aiohttp>=3.14.0 # (sec vuln) transitive dependency via geoip2 attrs>=18.2.0 azure-common>=1.1.18 -azure-core>=1.24.0 +azure-core>=1.38.0 azure-identity>=1.16.1 azure-keyvault-secrets>=4.0.0 azure-kusto-data<7.0.0,>=4.4.0 @@ -15,18 +16,21 @@ azure-monitor-query>=1.0.0, <=3.0.0 azure-storage-blob>=12.5.0 beautifulsoup4>=4.0.0 bokeh>=3.0.0 -cryptography>=43.0.1 +cryptography>=48.0.0 deprecated>=1.2.4 dnspython>=2.0.0, <3.0.0 folium>=0.9.0 geoip2>=2.9.0 +h11>=0.16.0 # (sec vuln) transitive dependency via httpx html5lib httpx>=0.23.0, <1.0.0 +idna>=3.15 # (sec vuln) transitive dependency via various ipython>=7.23.1 ipywidgets>=7.4.2, <9.0.0 -jinja2>=3.1.5 # (sec vuln) transitive dependency via multiple packages +jaraco.context>=6.1.0 # (sec vuln) transitive dependency via keyring +jinja2>=3.1.6 # (sec vuln) transitive dependency via multiple packages keyring>=13.2.1 -lxml>=4.6.5 +lxml>=6.1.1 matplotlib>=3.0.0 msal_extensions>=0.3.0 msal>=1.12.0 @@ -35,9 +39,10 @@ networkx>=2.2 numpy>=1.15.4 pandas>=1.4.0, <3.0.0 panel>=1.2.1 +Pillow>=12.2.0 # (sec vuln) transitive dependency via bokeh pydantic>=1.8.0, <3.0.0 pygments>=2.0.0 -pyjwt>=2.3.0 +pyjwt>=2.13.0 python-dateutil>=2.8.1 pytz>=2019.2 pyyaml>=3.13 @@ -46,7 +51,7 @@ scipy setuptools>=40.6.3 statsmodels tldextract>=2.2.2 -tornado>=6.4.2 # (sec vuln) transitive dependency via bokeh +tornado>=6.5.5 # (sec vuln) transitive dependency via bokeh tqdm>=4.36.1 typing-extensions>=4.2.0 -urllib3>=1.23 +urllib3>=2.7.0 diff --git a/docs/requirements.txt b/docs/requirements.txt index 4c6e97cb..51555fbd 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -3,12 +3,12 @@ azure.mgmt.network azure.mgmt.resource azure.mgmt.monitor azure.mgmt.compute -cryptography +cryptography>=48.0.0 deprecated>=1.2.4 docutils<0.22.0 -httpx==0.27.0 +httpx>=0.28.0, <1.0.0 ipython >= 7.1.1 -jinja2<3.2.0 +jinja2>=3.1.6, <3.2.0 numpy>=1.15.4 pandas>=1.1.5 pydantic>=1.8.0, <3.0.0 diff --git a/requirements-all.txt b/requirements-all.txt index 83f728a6..7e46230a 100644 --- a/requirements-all.txt +++ b/requirements-all.txt @@ -1,6 +1,7 @@ +aiohttp>=3.14.0 # (sec vuln) transitive dependency via geoip2 attrs>=18.2.0 azure-common>=1.1.18 -azure-core>=1.24.0 +azure-core>=1.38.0 azure-identity>=1.16.1 azure-keyvault-secrets>=4.0.0 azure-kusto-data<7.0.0,>=4.4.0 @@ -16,19 +17,22 @@ azure-monitor-query<=3.0.0,>=1.0.0 azure-storage-blob>=12.5.0 beautifulsoup4>=4.0.0 bokeh>=3.0.0 -cryptography>=43.0.1 +cryptography>=48.0.0 deprecated>=1.2.4 dnspython<3.0.0,>=2.0.0 folium>=0.9.0 geoip2>=2.9.0 +h11>=0.16.0 # (sec vuln) transitive dependency via httpx html5lib httpx<1.0.0,>=0.23.0 +idna>=3.15 # (sec vuln) transitive dependency via various ipython>=7.23.1 ipywidgets<9.0.0,>=7.4.2 -jinja2>=3.1.5 +jaraco.context>=6.1.0 # (sec vuln) transitive dependency via keyring +jinja2>=3.1.6 joblib>=1.3.0 keyring>=13.2.1 -lxml>=4.6.5 +lxml>=6.1.1 matplotlib>=3.0.0 mo-sql-parsing<12.0.0,>=11 msal>=1.12.0 @@ -41,10 +45,11 @@ openpyxl>=3.0 packaging>=24.0 pandas<3.0.0,>=1.4.0 panel>=1.2.1 +Pillow>=12.2.0 # (sec vuln) transitive dependency via bokeh passivetotal>=2.5.3 pydantic<3.0.0,>=1.8.0 pygments>=2.0.0 -pyjwt>=2.3.0 +pyjwt>=2.13.0 python-dateutil>=2.8.1 python_openobserve>=0.4.2 pytz>=2019.2 @@ -58,9 +63,9 @@ splunk-sdk!=2.0.0,>=1.6.0 statsmodels>=0.11.1 sumologic-sdk>=0.1.11 tldextract>=2.2.2 -tornado>=6.4.2 +tornado>=6.5.5 tqdm>=4.36.1 typing-extensions>=4.2.0 -urllib3>=1.23 +urllib3>=2.7.0 vt-graph-api>=2.0 vt-py>=0.18.0 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index ed502f3b..fb036acc 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,7 @@ +aiohttp>=3.14.0 # (sec vuln) transitive dependency via geoip2 attrs>=18.2.0 azure-common>=1.1.18 -azure-core>=1.24.0 +azure-core>=1.38.0 azure-identity>=1.16.1 azure-keyvault-secrets>=4.0.0 azure-kusto-data>=4.4.0, <7.0.0 @@ -10,18 +11,21 @@ azure-mgmt-subscription>=3.0.0 azure-monitor-query>=1.0.0, <=3.0.0 beautifulsoup4>=4.0.0 bokeh>=3.0.0 -cryptography>=43.0.1 +cryptography>=48.0.0 deprecated>=1.2.4 dnspython>=2.0.0, <3.0.0 folium>=0.9.0 geoip2>=2.9.0 +h11>=0.16.0 # (sec vuln) transitive dependency via httpx httpx>=0.23.0, <1.0.0 html5lib +idna>=3.15 # (sec vuln) transitive dependency via various ipython>=7.23.1 ipywidgets>=7.4.2, <9.0.0 -jinja2>=3.1.5 # (sec vuln) transitive dependency via multiple packages +jaraco.context>=6.1.0 # (sec vuln) transitive dependency via keyring +jinja2>=3.1.6 # (sec vuln) transitive dependency via multiple packages keyring>=13.2.1 -lxml>=4.6.5 +lxml>=6.1.1 msal>=1.12.0 msal_extensions>=0.3.0 msrest>=0.6.0 @@ -31,15 +35,16 @@ numpy>=1.15.4 # pandas packaging>=24.0 pandas>=1.4.0, <3.0.0 panel>=1.2.1 +Pillow>=12.2.0 # (sec vuln) transitive dependency via bokeh pydantic>=1.8.0, <3.0.0 pygments>=2.0.0 -pyjwt>=2.3.0 +pyjwt>=2.13.0 python-dateutil>=2.8.1 # pandas pytz>=2019.2 # pandas pyyaml>=3.13 setuptools>=40.6.3 tldextract>=2.2.2 -tornado>=6.4.2 # (sec vuln) transitive dependency via bokeh +tornado>=6.5.5 # (sec vuln) transitive dependency via bokeh tqdm>=4.36.1 typing-extensions>=4.2.0 -urllib3>=1.23 +urllib3>=2.7.0 From bb023839f09aa3cd10b0637fd3a21403f27d59bc Mon Sep 17 00:00:00 2001 From: Ian Hellen Date: Fri, 5 Jun 2026 17:34:00 -0700 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- requirements-all.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-all.txt b/requirements-all.txt index 1e1943e0..cd0a0cc2 100644 --- a/requirements-all.txt +++ b/requirements-all.txt @@ -50,7 +50,7 @@ passivetotal>=2.5.3 Pillow>=12.2.0 # (sec vuln) transitive dependency via bokeh pydantic<3.0.0,>=1.8.0 pygments>=2.20.0 -pyjwt>=2.3.0 +pyjwt>=2.13.0 python_openobserve>=0.4.2 python-dateutil>=2.8.1 pytz>=2019.2