Skip to content

fix: upgrade transitive deps to resolve 8 known vulnerabilities#322

Merged
heyitsaamir merged 2 commits intomainfrom
aamirj/dependency-audit-fixes
Mar 24, 2026
Merged

fix: upgrade transitive deps to resolve 8 known vulnerabilities#322
heyitsaamir merged 2 commits intomainfrom
aamirj/dependency-audit-fixes

Conversation

@heyitsaamir
Copy link
Collaborator

@heyitsaamir heyitsaamir commented Mar 24, 2026

Summary

  • Upgrade transitive dependencies to resolve 8 of 9 known vulnerabilities found via pip-audit
  • Raise minimum version floors for pyjwt and fastmcp to prevent vulnerable versions from resolving on fresh installs
  • Fix stale test from Move IsTargeted property from Activity to Account #318 that expected removed recipient-inference behavior

Vulnerabilities Fixed

Package Before After CVE
authlib 1.6.6 1.6.9 CVE-2026-28802 (JWT alg:none bypass)
cryptography 46.0.3 46.0.5 CVE-2026-26007 (EC subgroup validation)
fastmcp 2.14.0 3.1.1 CVE-2025-69196
pyjwt 2.10.1 2.12.1 CVE-2026-32597 (crit header bypass)
pyasn1 0.6.2 0.6.3 CVE-2026-30922 (recursion bomb DoS)
starlette 0.49.1 1.0.0 CVE-2025-43859 (HTTP request smuggling)
fastapi 0.128.0 0.135.2 (pulled by starlette)
diskcache 5.6.3 removed CVE-2025-69872 (no longer needed with fastmcp 3.x)

Unfixable: jsonpickle 1.4.2 (CVE-2020-22083) — pinned by botbuilder-core to >=1.2,<1.5.

Floor Constraint Changes

  • pyjwt[crypto]>=2.12.0 in api, apps, graph (was >=2.10.0)
  • fastmcp>=2.14.2 in mcpplugin (was >=0.5.0)

Test plan

  • poe test — 546 passed, 0 failed
  • E2E tested echo, mcp-server, mcp-client, botbuilder examples against live Teams

🤖 Generated with Claude Code

@heyitsaamir @claude
fix: upgrade transitive deps to resolve 8 known vulnerabilities
ecdc8f1 
Bump dependency floors and lock file to fix:
- authlib 1.6.6→1.6.9 (CVE-2026-28802, JWT alg:none bypass)
- cryptography 46.0.3→46.0.5 (CVE-2026-26007, EC subgroup validation)
- fastmcp 2.14.0→3.1.1 (CVE-2025-69196)
- pyjwt 2.10.1→2.12.1 (CVE-2026-32597, crit header bypass)
- pyasn1 0.6.2→0.6.3 (CVE-2026-30922, recursion bomb DoS)
- starlette 0.49.1→1.0.0 (CVE-2025-43859, HTTP request smuggling)
- fastapi 0.128.0→0.135.2 (pulled by starlette)
- diskcache 5.6.3 removed (no longer needed with fastmcp 3.x)

Raise floor constraints to prevent vulnerable versions:
- pyjwt[crypto]>=2.12.0 in api, apps, graph
- fastmcp>=2.14.2 in mcpplugin

Fix stale test from PR #318 that expected removed recipient inference.

Remaining: jsonpickle 1.4.2 (CVE-2020-22083) pinned by botbuilder-core<1.5.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 24, 2026 06:08
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades dependency resolutions across the Teams Python SDK workspace to remediate reported security vulnerabilities and adjusts package-level minimum constraints to reduce the chance of vulnerable versions being installed, along with updating a test expectation after the targeted-recipient behavior change.

Changes:

  • Updated uv.lock to newer (mostly transitive) dependency versions, including authlib/cryptography/fastapi/starlette/fastmcp/pyjwt/pyasn1, and removed diskcache from the resolved set.
  • Raised minimum version floors for pyjwt[crypto] in multiple packages and fastmcp in mcpplugin.
  • Updated an apps test to reflect that clearing recipient is no longer auto-inferred.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
uv.lock Refreshes the locked dependency set to versions that address reported CVEs and removes no-longer-needed transitive packages.
packages/mcpplugin/pyproject.toml Raises the minimum fastmcp version constraint.
packages/graph/pyproject.toml Raises the minimum pyjwt[crypto] version constraint.
packages/apps/tests/test_activity_context.py Updates a targeted-send test expectation after recipient-inference behavior was removed.
packages/apps/pyproject.toml Raises the minimum pyjwt[crypto] version constraint.
packages/api/pyproject.toml Raises the minimum pyjwt[crypto] version constraint.

lilyydu
lilyydu reviewed Mar 24, 2026
View reviewed changes
@heyitsaamir @claude
Remove stale test_send_targeted_cleared_recipient_stays_none test
041c3de 
Per PR review feedback — test was added when is_targeted was on Activity
rather than Account, and no longer tests meaningful behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@heyitsaamir heyitsaamir merged commit be95fd7 into main Mar 24, 2026
7 checks passed
@heyitsaamir heyitsaamir deleted the aamirj/dependency-audit-fixes branch March 24, 2026 22:53
@heyitsaamir heyitsaamir mentioned this pull request Mar 25, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lilyydu lilyydu lilyydu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@heyitsaamir @lilyydu