Skip to content

SDK-92: Fix docs CSP syntax for Firefox-based browsers #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
benglewis wants to merge 4 commits into
base: main
Choose a base branch
from
Open

SDK-92: Fix docs CSP syntax for Firefox-based browsers #222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
06cbe64
SDK-92: fix docs CSP meta syntax for Firefox
benglewis Apr 19, 2026
787d47f
Fix vulnerabilities
benglewis Apr 19, 2026
963c186
Fix `AGENTS.md`
benglewis Apr 20, 2026
0fc1fd5
ruff format
benglewis Apr 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Activate the local virtualenv before running any Python/uv commands: `source .ve
## Testing Guidelines

- Frameworks: `pytest` and `pytest-asyncio`.
- Place tests in `tests/`; name files `test_*.py`.
- Place tests in `tests/`; name files `*_test.py`.
- Run locally with `pytest` before opening a PR (CI runs lint + integration tests).

## Pull Request Guidelines
Expand Down
53 changes: 53 additions & 0 deletions VULNERABILITIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Vulnerability Update Guide

Use this file when updating dependency floors in [pyproject.toml](pyproject.toml) to address vulnerability findings.

## Rules

1. Keep the dependency line and its vulnerability note together.
Example:
```toml
"requests>=2.33.0",
# ⬆️ Required to fix vulnerability CVE-2026-25645
```
The up-arrow comment goes immediately below the package line, not above it.

2. Mention only the advisory that necessitates the current minimum version.
If `authlib>=1.6.11` is required because `GHSA-jj8c-mmj3-mmgv` is the first fix at that floor, mention only that advisory.
Do not list older advisories that are also fixed incidentally by the same newer version.

3. Do not keep stale version-history commentary.
Keep only the final package floor and the advisory tied to that floor.

4. Treat major-version upgrades as compatibility risks.
Before keeping a major bump such as `transformers` or `pytest`, add or run tests that exercise the affected public SDK behavior.

5. Prefer the smallest safe version bump that clears the finding.
If a vulnerability is fixed in `46.0.6`, do not cite it as justification for `46.0.7` unless `46.0.7` is required by another active finding.

## Workflow

1. Update the minimum version in `pyproject.toml`.
2. Place the vulnerability comment immediately below the changed dependency line.
3. Recompile the dependency set from `pyproject.toml`.
Example:
```bash
UV_CACHE_DIR=/tmp/uv-cache uv pip compile pyproject.toml --group dev --group docs --group deploy --extra pandas --extra polars --extra transformers -o /tmp/hirundo-all-requirements.txt
```
4. Audit the compiled output.
Example:
```bash
UV_CACHE_DIR=/tmp/uv-cache uv run pip-audit --no-deps --disable-pip -r /tmp/hirundo-all-requirements.txt -f json
```
5. Run validation for compatibility-sensitive changes.
Commands:
```bash
.venv/bin/pytest
.venv/bin/basedpyright
```

## Repo-specific notes

- This repository has many integration-heavy tests that require credentials such as `AWS_ACCESS_KEY`, `GCP_CREDENTIALS`, and `HUGGINGFACE_ACCESS_TOKEN`.
- If full `pytest` is unavailable because credentials are missing, report that explicitly and run any safe targeted tests that cover the changed behavior.
- For `transformers` changes, keep coverage on the Hugging Face pipeline path in [tests/unlearning-llm/llm_pipeline_transformers_test.py](tests/unlearning-llm/llm_pipeline_transformers_test.py).
2 changes: 1 addition & 1 deletion docs/hirundo.cli.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.cli module
==================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.dataset_enum.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.dataset_enum module
===========================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.dataset_qa.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.dataset_qa module
=========================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.dataset_qa_results.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.dataset_qa_results module
=================================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.git.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.git module
==================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.labeling.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.labeling module
=======================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.llm_behavior_eval.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.llm_behavior_eval module
=============================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.llm_behavior_eval_results.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.llm_behavior_eval_results module
=============================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.llm_bias_type.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.llm_bias_type module
=============================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.logger.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.logger module
=====================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo package
===============
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.storage.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.storage module
======================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.unlearning_llm.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.unlearning_llm module
=============================
Expand Down
2 changes: 1 addition & 1 deletion docs/hirundo.unzip.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo.unzip module
====================
Expand Down
2 changes: 1 addition & 1 deletion docs/index.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
contain the root `toctree` directive.

.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

Hirundo Python SDK
==================
Expand Down
2 changes: 1 addition & 1 deletion docs/modules.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
.. meta::
:http-equiv=Content-Security-Policy: default-src 'self', frame-ancestors 'none'
:http-equiv=Content-Security-Policy: default-src 'self'; frame-ancestors 'none'

hirundo
=======
Expand Down
26 changes: 16 additions & 10 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,9 @@ dependencies = [
"httpx-sse>=0.4.0",
"tqdm>=4.66.5",
"h11>=0.16.0",
"requests>=2.33.0",
# ⬆️ Required to fix vulnerability GHSA-vqfr-h8mv-ghfj
"requests>=2.32.4",
# ⬆️ Required to fix vulnerability GHSA-9hjg-9r4m-mvj7
# ⬆️ Required to fix vulnerability CVE-2026-25645
"urllib3>=2.6.3",
# ⬆️ Required to fix vulnerability CVE-2026-21441
"setuptools>=78.1.1",
Expand All @@ -51,28 +51,34 @@ Homepage = "https://github.com/Hirundo-io/hirundo-python-sdk"
[project.optional-dependencies]
pandas = ["pandas>=2.2.3"]
polars = ["polars>=1.0.0"]
transformers = ["transformers>=4.57.3", "peft>=0.18.1", "accelerate>=1.12.0"]
transformers = [
"transformers>=5.0.0rc3",
Comment on lines +54 to +55
Copy link
Copy Markdown

@baz-reviewer baz-reviewer Bot Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hirundo[transformers] now requires transformers>=5.0.0rc3, so pip install hirundo[transformers] in the README is no longer compatible with consumers pinned to transformers<5; should we publish a migration path or adjust the dependency floor to keep the documented extra installable?

Finding type: Breaking Changes | Severity: 🟢 Low

Fix in Cursor

Prompt for AI Agents:

Before applying, verify this suggestion against the current code. In pyproject.toml
around lines 54-59 (the `[project.optional-dependencies]` `transformers` extra), the
dependency pin changed to `transformers>=5.0.0rc3`, which will break consumers that
still install with `transformers<5`. Update the `transformers` extra to preserve
backward compatibility (e.g., allow the previous 4.x line as well) or create a separate
extra/versioned extra for Transformers v5 while keeping `hirundo[transformers]`
installable for existing users. Also ensure the README/public installation docs and any
migration notes are updated to reflect the new behavior and how users should upgrade.

Copy link
Copy Markdown
Contributor Author

@benglewis benglewis Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We cannot support Transformers v4 while not having any vulnerabilities. How do you think that we should document this? What is the standard?

Copy link
Copy Markdown

@baz-reviewer baz-reviewer Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Document the change in the README (and release notes if you have them) by saying that the hirundo[transformers] extra now requires transformers>=5.0.0rc3 to resolve CVE-2026-1839, and point users at pyproject.toml or VULNERABILITIES.md for the mitigation details plus any upgrade guidance (token/PEFT compatibility, etc.). Use the same vulnerability-note style from VULNERABILITIES.md so the rationale is clear and consistent, and add a short migration note that advises pinned-<5 users to either upgrade to transformer 5.x or continue using a fixed hirundo version until they can.

# ⬆️ Required to fix vulnerability CVE-2026-1839
"peft>=0.18.1",
"accelerate>=1.12.0",
]

[dependency-groups]
dev = [
"hirundo[pandas,polars,transformers]",
"numpy>=2.1.3; sys_platform == 'darwin'",
# ⬆️ Ensure macOS runners resolve a NumPy version with prebuilt wheels in `pytest_sanity`.
"types-setuptools>=69.5.0",
"pytest>=8.2.0",
"pytest>=9.0.3",
# ⬆️ Required to fix vulnerability CVE-2025-71176
"pytest-asyncio>=0.23.6",
"uv>=0.9.29",
"uv>=0.11.6",
# ⬆️ Required to fix vulnerability GHSA-pjjw-68hj-v9mw
"pre-commit>=3.7.1",
"basedpyright==1.37.1",
"virtualenv>=20.36.1",
# ⬆️ Needed for `pre-commit` version fix for vulnerability GHSA-rqc4-2hc7-8c8v
"authlib>=1.6.6",
# ⬆️ Required to fix vulnerability CVE-2025-68158
"authlib>=1.6.11",
# ⬆️ Required to fix vulnerability GHSA-jj8c-mmj3-mmgv
"ruff>=0.12.0",
"bumpver>=2025.1131",
"platformdirs>=4.3.6",
"cryptography>=46.0.5",
# ⬆️ Required to fix vulnerability CVE-2026-26007
"cryptography>=46.0.7",
# ⬆️ Required to fix vulnerability CVE-2026-39892
"jinja2>=3.1.6",
# ⬆️ Required to fix vulnerabilities GHSA-cpwx-vrp4-4pq7 , GHSA-gmj6-6f8f-6699 & GHSA-q2x7-8rv6-6q7h
"filelock>=3.20.3",
Expand Down
Loading
Loading