Skip to content

chore: Bump dev deps to clear h11, pytest, and idna advisories#29

Merged
dbrattli merged 1 commit into
mainfrom
chore/bump-vulnerable-dev-deps
Jul 4, 2026
Merged

chore: Bump dev deps to clear h11, pytest, and idna advisories#29
dbrattli merged 1 commit into
mainfrom
chore/bump-vulnerable-dev-deps

Conversation

@dbrattli

@dbrattli dbrattli commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Summary

Clears the 3 remaining open Dependabot alerts, all transitive/dev deps in uv.lock. Rebased onto latest main (after Dependabot PRs #25#28 merged).

The earlier Dependabot group PRs relaxed uvicorn and pytest-asyncio in pyproject.toml, but two things were still outstanding:

  1. pytest was still capped at <9, so the pytest advisory couldn't be patched.
  2. The committed uv.lock still pinned the old h11 and idna transitives.

This PR lifts the pytest cap and regenerates the lockfile, pulling all three patched versions.

Package main this PR Severity
h11 0.14.0 0.16.0 critical (transitive via uvicorn)
pytest 8.4.2 9.1.1 medium
idna 3.10 3.18 medium (transitive)

pyproject.toml change

  • pytest>=8.3.3,<9pytest>=9.0.3,<10

(uvicorn>=0.50, pytest-asyncio>=1.4 were already set on main.)

Testing

Full native F# + compiled Python suite passes — 50 tests green on pytest 9.1.1 / pytest-asyncio 1.4.0.

🤖 Generated with Claude Code

Relax the uvicorn and pytest upper-bound pins so the lockfile can pull
patched transitive versions:
- h11 0.14.0 -> 0.16.0 (critical, via uvicorn 0.30 -> 0.50)
- pytest 8.3.3 -> 9.1.1 (medium), pytest-asyncio 0.24 -> 1.4.0
- idna 3.10 -> 3.18 (medium, transitive)

Full native + compiled Python test suite passes (50 tests).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@dbrattli dbrattli force-pushed the chore/bump-vulnerable-dev-deps branch from e7c827f to 7e8f9c1 Compare July 4, 2026 16:10
@dbrattli dbrattli merged commit 2ffef38 into main Jul 4, 2026
3 checks passed
@dbrattli dbrattli deleted the chore/bump-vulnerable-dev-deps branch July 4, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant