🔒 Security: Upgrade Python 3.13 and update dependencies #164
+1,575
−1,223
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add `contents: read` permission to follow principle of least privilege. The test workflow only needs to read repository contents for checkout, testing, and linting operations. Addresses Dependabot security recommendation.
- Upgrade Python from 3.11 to 3.13 - Update FastAPI to 0.120.3 (addresses security vulnerabilities) - Update Poetry to 2.1.3 - Update all dependency locks in poetry.lock - Update test workflow to use Python 3.13 - Update Dockerfile.base for Python 3.13.9 Addresses Dependabot security alerts for outdated dependencies.
makelarisjr
approved these changes
Oct 31, 2025
Move POETRY_VERSION ARG declaration inside the python-base stage where it is actually used, rather than declaring it globally. This fixes IDE linter warnings about undefined variables and follows Docker best practices by declaring ARGs in the scope where they're needed. Benefits: - Resolves "Usage of undefined variable" Docker linter warning - Ensures POETRY_VERSION is properly available in the build stage - Improves Dockerfile maintainability and clarity
Add audioop-lts package to replace the audioop module that was removed from Python 3.13 standard library. The audioop module was deprecated in Python 3.11 and removed in 3.13 (PEP 594). py-cord still depends on it for voice functionality, even though we don't use voice features. The audioop-lts package provides a maintained LTS port of the removed module. Fixes test import errors: ModuleNotFoundError: No module named 'audioop'
Fix test failure caused by incorrect mock assertion syntax in test__check_member_user test. Changes: - Replace `assert await bot.get_member_or_user.called_once_with(...)` - With `bot.get_member_or_user.assert_called_once_with(...)` The test was using `called_once_with` (which doesn't exist) instead of the correct `assert_called_once_with` method. Python 3.13's stricter mock validation now properly raises an AttributeError for this mistake. All 203 tests now pass.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #164 +/- ##
==========================================
- Coverage 58.93% 58.83% -0.11%
==========================================
Files 50 50
Lines 2903 2903
==========================================
- Hits 1711 1708 -3
- Misses 1192 1195 +3 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
- Update Poetry from 1.8.2 to 2.1.3 in test workflow to match Dockerfile.base and ensure consistent Poetry version across all environments - Bump project version from 1.4.4 to 1.9.0 This ensures the CI/CD pipeline uses the same Poetry version as local development and Docker builds.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Types of changes
What types of changes does your code introduce?
Put an
xin the boxes that apply.Proposed changes
This PR addresses Dependabot security alerts by implementing security hardening and dependency updates:
Security Hardening:
contents: readpermission to test workflow following the principle of least privilegeDependency Updates:
These changes resolve multiple Dependabot security alerts related to outdated dependencies and insecure workflow permissions.
Checklist
Put an
xin the boxes that apply.Additional context
This PR is part of ongoing security maintenance to keep dependencies up-to-date and follow GitHub security best practices. The Python 3.13 upgrade ensures we're running on a supported version with the latest security patches.
Note: Tests should be run in CI to verify compatibility with Python 3.13 and updated dependencies.