Skip to content

fix(deps): bundle bump of 8 transitive deps to clear Dependabot alerts#79

Merged
bartzbeielstein merged 1 commit into
mainfrom
fix/dependabot-vuln-bundle
May 27, 2026
Merged

fix(deps): bundle bump of 8 transitive deps to clear Dependabot alerts#79
bartzbeielstein merged 1 commit into
mainfrom
fix/dependabot-vuln-bundle

Conversation

@bartzbeielstein
Copy link
Copy Markdown
Contributor

@bartzbeielstein bartzbeielstein commented May 27, 2026

Summary

Clears all 39 open Dependabot alerts (22 high, 17 moderate) by bumping the
eight affected transitive dependencies in uv.lock to their patched releases:

Package Before After
authlib 1.6.11 1.7.2
idna 3.11 3.16
jupyter-server 2.17.0 2.18.2
jupyterlab 4.5.6 4.5.7
mistune 3.2.0 3.2.1
nbconvert 7.17.0 7.17.1
notebook 7.5.5 7.5.6
urllib3 2.6.3 2.7.0

A new transitive joserfc 1.6.8 is pulled in via the authlib 1.7 line.
No edits to pyproject.toml — all bumps stay within the existing version
constraints.

This bundles what would otherwise be eight sequential Dependabot PRs
(#70#77), each of which would have to be rebased against the previous
merge's uv.lock change. Bundling avoids the rebase cascade and merges
the entire vulnerability batch in one CI run. Once this lands on main,
Dependabot will auto-close #70#77 on its next scan.

Test plan

  • uv lock --upgrade-package <pkg> for each of the 8 packages produces a clean resolution (195 packages, no conflicts).
  • uv sync succeeds.
  • Full pytest suite passes: 1725 passed in 17:02 (5 pre-existing warnings, no new failures).
  • CI (Tests, Analyze, Lint, CodeQL) green on this PR before merge.

🤖 Generated with Claude Code

@bartzbeielstein @claude
fix(deps): bump 8 transitive deps to clear Dependabot vulnerabilities
6c210b0 
Closes 39 open Dependabot alerts (22 high, 17 moderate) by bumping the
following transitive dependencies in uv.lock to their patched releases:

  authlib        1.6.11 -> 1.7.2
  idna           3.11   -> 3.16
  jupyter-server 2.17.0 -> 2.18.2
  jupyterlab     4.5.6  -> 4.5.7
  mistune        3.2.0  -> 3.2.1
  nbconvert      7.17.0 -> 7.17.1
  notebook       7.5.5  -> 7.5.6
  urllib3        2.6.3  -> 2.7.0

Bundled to avoid the rebase-cascade on uv.lock that would arise from
merging the eight individual Dependabot PRs (#70-#77) sequentially.
Full pytest suite (1725 tests) passes against the upgraded lock.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bartzbeielstein bartzbeielstein merged commit d87d610 into main May 27, 2026
3 of 4 checks passed
@bartzbeielstein bartzbeielstein deleted the fix/dependabot-vuln-bundle branch May 27, 2026 19:15
@bartzbeielstein bartzbeielstein mentioned this pull request May 28, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bartzbeielstein