chore(deps): security bumps — idna 3.15, starlette 1.1.0, torch advisory ignore#64
Merged
Conversation
Bumps [idna](https://github.com/kjd/idna) from 3.11 to 3.15. - [Release notes](https://github.com/kjd/idna/releases) - [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.md) - [Commits](kjd/idna@v3.11...v3.15) --- updated-dependencies: - dependency-name: idna dependency-version: '3.15' dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Mirror the urllib3 PR #62/#63 pattern — record the idna 3.15 bump (CVE-2026-45409, GHSA-65pc-fj4g-8rjx; Dependabot alert #17) in CHANGELOG Unreleased and the AGENTS.md security log, noting idna is purely transitive (via anyio / httpx / requests) and no hub code path calls idna directly.
The PR-gating pip-audit runs unfiltered, so #64's idna bump alone could not go green while two further advisories were live in the tree. Fix both here so the security PR merges cleanly: - starlette PYSEC-2026-161 / GHSA-86qp-5c8j-p5mr (Host-header validation bypass poisoning request.url.path): floor to starlette>=1.0.1 via a new [tool.uv] constraint-dependencies entry. A lock-only bump regresses to the vulnerable 0.52.1 because the prior fastapi 0.129.0 capped it; the constraint forces starlette 1.1.0 and lifts fastapi to 0.136.3. Reached only via mcp/fastapi/sse-starlette; the hub speaks MCP over stdio, never serves HTTP. - torch PYSEC-2026-139 / CVE-2026-4538 (local-only pt2-loader deserialization, no upstream fix): ignore in ci.yml and the audit-deps justfile recipe. Reached only via sentence-transformers; the hub never loads untrusted pt2 artifacts. The unfiltered biweekly security-audit.yml keeps tracking it. CHANGELOG + AGENTS.md security log updated for both.
vr000m
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What's New
Security-only dependency PR. Resolves three transitive advisories that the unfiltered
pip-auditPR gate currently flags. Started as the Dependabotidnabump (#64) and was widened to clear the other two live advisories, since the gate sees the union of all advisories in the tree — none of the three could go green independently.Security
idna→3.15(transitive viaanyio/httpx/requests). CVE-2026-45409 / GHSA-65pc-fj4g-8rjx, Dependabot alert chore: release v0.0.9 #17: crafted inputs toidna.encode()bypass the CVE-2024-3651 mitigation, enabling quadratic-time processing. Lock-only bump.starlette→1.1.0(transitive viamcp/fastapi/sse-starlette). PYSEC-2026-161 / GHSA-86qp-5c8j-p5mr: missing Host-header validation poisonsrequest.url.path, bypassing path-based security checks. Floored via a new[tool.uv] constraint-dependenciesentry (starlette>=1.0.1) because a plain re-lock regresses to the vulnerable0.52.1(priorfastapi 0.129.0capped it); the constraint also liftsfastapi→0.136.3.torchPYSEC-2026-139 / CVE-2026-4538 — local-only pt2-loader deserialization, no upstream fix released. Ignored in the PR-gatingpip-audit(ci.yml) and theaudit-depsjustfile recipe. The unfiltered biweeklysecurity-audit.ymlkeeps tracking it so the ignore is removed when a patch lands.No exploitable path from hub code for any of the three: the hub speaks MCP over stdio (never serves HTTP via Starlette), outbound hostnames are fixed trusted endpoints (never attacker-controlled
idna.encode()input), and it never deserializes untrustedpt2artifacts (torch is used only for local embeddings viasentence-transformers).Verification
pip-audit:No known vulnerabilities found, 1 ignored(torch)ruff checkclean,mypyclean (82 files),pytest: 1021 passed / 3 skippedUpgrade:
uv sync --extra dev --group devthenuv run pipecat-context-hub refresh --forceFull changelog: v0.0.19...HEAD
Original Dependabot changelog (idna 3.11 → 3.15)
idna 3.14 closed CVE-2026-45409 by rejecting oversize inputs up-front (bypass of the CVE-2024-3651 mitigation); 3.15 adds an early DNS-length cap in
check_labelplus perf/cleanup. Compare: kjd/idna@v3.11...v3.15