Context
Socket Security flagged two critical CVEs on the dependency graph of every PR opened against dev. They are pre-existing on dev — not introduced by any open PR (e.g., PR #129's diff has no uv.lock row). First report: #129 (comment).
Alerts
| Package |
Current (dev) |
CVE |
Patched |
Severity |
| `authlib` |
1.6.6 |
GHSA-wvwj-cvrp-7pv5 — JWS JWK Header Injection: Signature Verification Bypass |
`>= 1.6.9` |
CRITICAL |
| `fastmcp` |
2.14.4 |
GHSA-vv7q-7jx5-f767 — OpenAPI Provider SSRF + Path Traversal |
`>= 3.2.0` |
CRITICAL |
Both are transitive dependencies (via `pydantic-ai-slim` extras). They don't appear in `pyproject.toml`; the bump must be driven from `uv.lock` via `uv lock --upgrade-package`.
Plan
- Branch `chore/repo-bump-authlib-fastmcp-cves` off `dev`.
- `uv lock --upgrade-package authlib --upgrade-package fastmcp`.
- Verify resolved versions clear both advisories.
- `uv sync --extra dev` + `uv run pytest -m "not integration"` to confirm no regression.
- PR into dev as `chore(repo): bump authlib + fastmcp to clear Socket-flagged CVEs (#)`.
Acceptance
Non-goals
- No code changes outside `uv.lock`. If the new authlib/fastmcp versions break an import, that's a separate PR.
- No re-tuning of other pinned majors.
Context
Socket Security flagged two critical CVEs on the dependency graph of every PR opened against dev. They are pre-existing on dev — not introduced by any open PR (e.g., PR #129's diff has no uv.lock row). First report: #129 (comment).
Alerts
Both are transitive dependencies (via `pydantic-ai-slim` extras). They don't appear in `pyproject.toml`; the bump must be driven from `uv.lock` via `uv lock --upgrade-package`.
Plan
Acceptance
Non-goals