fix(deps): resolve aiohttp Dependabot alerts #2081 and #2080 (CVE-2026-47265, CVE-2026-47266)#16269
Open
github-actions[bot] wants to merge 2 commits into
Open
fix(deps): resolve aiohttp Dependabot alerts #2081 and #2080 (CVE-2026-47265, CVE-2026-47266)#16269github-actions[bot] wants to merge 2 commits into
github-actions[bot] wants to merge 2 commits into
Conversation
…E-2026-47266 Both Dependabot alerts #2081 (CVE-2026-47265, cross-origin redirect with per-request cookies) and #2080 (CVE-2026-47266, deserialization of untrusted data) reference seed/python-sdk/basic-auth-pw-omitted/poetry.lock which no longer exists in the repository. The aiohttp lower bound was already bumped to >=3.14.0 in PR #16230 and all remaining seed poetry.lock files contain aiohttp 3.14.0 (the patched version). The orphaned manifest file was removed in PR #16235.
devin-ai-integration
Bot
changed the title
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves Dependabot alerts #2081 (CVE-2026-47265 — cross-origin redirect with per-request cookies) and #2080 (CVE-2026-47266 — deserialization of untrusted data).
Changes Made
.github/dependabot-alerts/alert-2081.mdBoth alerts reference
seed/python-sdk/basic-auth-pw-omitted/poetry.lockwhich no longer exists in the repository. The underlying fix was already applied:>=3.13.4,<4to>=3.14.0,<4in the Python SDK generator sourcepoetry.lockfiles contain aiohttp 3.14.0Testing
seed/python-sdk/basic-auth-pw-omitted/poetry.lockdoes not exist on mainseed/python-sdk/**/poetry.lockfiles contain aiohttp 3.14.0Link to Devin session: https://app.devin.ai/sessions/ee28e629dafa42b98e4aa41e96f51f5a