Skip to content

Fix security vulnerabilities in pip dependencies#29

Open
willie wants to merge 3 commits into
elastic:mainfrom
vitalsource:fix/pip-security-updates
Open

Fix security vulnerabilities in pip dependencies#29
willie wants to merge 3 commits into
elastic:mainfrom
vitalsource:fix/pip-security-updates

Conversation

@willie

@willie willie commented Apr 1, 2026

Copy link
Copy Markdown
Contributor

Sorry, we've been on a CVE fixing rage over here at VitalSource and they keep popping up.

Summary

  • Bump PyJWT 2.10.1 → 2.12.0 (unknown crit header extensions)
  • Bump fastmcp 2.14.3 → 3.2.0 (multiple CVEs: critical/high/medium)
  • Bump Flask 3.1.0 → 3.1.3 (session/cookie handling)
  • Bump Flask-Cors 5.0.0 → 6.0.0 (CORS matching vulnerabilities)
  • Bump Pillow 11.3.0 → 12.1.1 (out-of-bounds write on PSD images)
  • Fix two tests affected by fastmcp 3.x breaking changes

Test plan

  • All 2212 unit tests pass
  • Verify auth flows work with PyJWT 2.12.0
  • Verify MCP proxy still works with fastmcp 3.2.0

🤖 Generated with Claude Code

willie and others added 3 commits April 1, 2026 08:12
- PyJWT 2.10.1 → 2.12.0 (unknown crit header extensions)
- fastmcp 2.14.3 → 3.2.0 (multiple CVEs, critical/high/medium)
- Flask 3.1.0 → 3.1.3 (session/cookie handling)
- Flask-Cors 5.0.0 → 6.0.0 (CORS matching vulnerabilities)
- Pillow 11.3.0 → 12.1.1 (out-of-bounds write on PSD images)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The content API key test was hitting the studio-level auth check
before reaching the content-level check.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
In fastmcp 3.x the .fn attribute was removed since the decorator
returns the original function instead of a wrapper object.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant