Skip to content

fix: remediate high-severity Dependabot security alerts#45

Merged
antoniomtz merged 1 commit intomainfrom
antoniomtz/fix-high-severity-dependabot-alerts
Feb 23, 2026
Merged

fix: remediate high-severity Dependabot security alerts#45
antoniomtz merged 1 commit intomainfrom
antoniomtz/fix-high-severity-dependabot-alerts

Conversation

@antoniomtz
Copy link
Copy Markdown
Collaborator

@antoniomtz antoniomtz commented Feb 23, 2026

Summary

  • Bump pillow 12.0.0 → 12.1.1 (out-of-bounds write on PSD images)
  • Bump python-multipart 0.0.20 → 0.0.22 (arbitrary file write via non-default config)
  • Pin urllib3 ≥2.6.3 via constraint-dependencies (decompression bomb bypass, unbounded decompression chain)
  • Bump next 15.4.10 → 15.5.10 (DoS via RSC HTTP deserialization, DoS via Image Optimizer)
  • Bump tar override ≥7.5.2 → ≥7.5.8 (path traversal, symlink poisoning, hardlink escape, Unicode ligature race condition)
  • Bump eslint-config-next to 15.5.10 to stay in sync with next

Resolves Dependabot alerts: #2, #3, #4, #5, #6, #7, #8, #9, #10, #15, #16 (10 of 12 high-severity alerts).

Not addressed

  • minimatch (upgrade react package #18, High) — transitive dep of eslint locked to ^3.x; upgrading to 10.x would break eslint. Requires upstream update.

Test plan

  • uv sync — all Python packages install cleanly
  • pnpm install --frozen-lockfile — all npm packages install cleanly
  • pytest — 145/145 tests pass
  • pnpm lint — passes (only pre-existing <img> warnings)

🤖 Generated with Claude Code

@antoniomtz @claude
fix: remediate high-severity Dependabot security alerts
a66ddb4 
Bump vulnerable dependencies to patched versions:
- pillow 12.0.0 → 12.1.1 (OOB write on PSD images)
- python-multipart 0.0.20 → 0.0.22 (arbitrary file write)
- urllib3 2.5.0 → ≥2.6.3 via constraint (decompression bomb bypass)
- next 15.4.10 → 15.5.10 (DoS via RSC deserialization)
- tar override ≥7.5.2 → ≥7.5.8 (path traversal / symlink poisoning)

Resolves Dependabot alerts #2, #3, #4, #5, #6, #7, #8, #9, #10, #15, #16.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@antoniomtz antoniomtz self-assigned this Feb 23, 2026
@antoniomtz antoniomtz merged commit 520d1ba into main Feb 23, 2026
4 of 5 checks passed
@antoniomtz antoniomtz deleted the antoniomtz/fix-high-severity-dependabot-alerts branch February 23, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@antoniomtz antoniomtz

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antoniomtz