Dependency Security Updates & Management Process (Dependabot) #482
Description
Introduction
GitHub's Dependabot recently identified 12 vulnerabilities across 7 libraries in our dependency tree. Most of these alerts relate to resource exhaustion risks (e.g., "zip bombs" or crashes requiring specific file inputs) rather than direct remote execution threats.
The vulerabilities were adresse the first time in this PR [#475], this issue will stay opened in order to talk and solve new vulnerabilities here.
Risks
- Realistic scenario: Potential errors, slow processing, or crashes if malformed data is processed.
- Context: Since Leaspy is an offline application working with specific file types, the actual attack surface is very limited. However, we have chosen to address these issues to maintain a clean codebase and avoid discouraging users with unresolved security alerts.
Strategy
We adopted a conservative approach: fix the critical vulnerabilities without compromising stability or support for older Python versions (3.9+).
1. Pinning Torch
We explicitly pinned torch in pyproject.toml (torch = ">=2.2.0,<2.8").
- Reasoning: Upgrading to 2.8.0 would fix the remaining low-risk vulnerabilities but could break core functionality. We have accepted this risk to preserve stability.
2. Smart Updates via Poetry
We updated the affected packages (urllib3, tornado, pillow, fonttools, filelock, requests). Poetry's resolver automatically selected the latest versions that remain compatible with our other dependencies and Python constraints.
3. filelock
filelock was not upgraded in all versions, because the patch version starts in python 3.10, which means that we could not give support to that python version. As the vulnerability is not critical, we will keep giving support to 3.9 for now.
Results
| Package | Old v | New v | Vulnerabilities Fixed |
|---|---|---|---|
| urllib3 | 2.4.0 | 2.6.3 | 5 (3 HIGH, 2 MODERATE) |
| tornado | 6.4.2 | 6.5.4 | 1 (HIGH) |
| pillow | 11.2.1 | 11.3.0 | 1 (HIGH) |
| fonttools | 4.57.0 | 4.60.2 | 1 (MODERATE) |
| filelock | 3.18.0 | 3.20.2 | 1 (MODERATE) |
| requests | 2.32.3 | 2.32.5 | 1 (MODERATE) |
| torch | 2.2.0 | 2.2.0 | (Accepted Risk) |