Skip to content

fix(RELEASE-2180): resolve Python package vulnerabilities#648

Merged
querti merged 1 commit into
konflux-ci:mainfrom
querti:fix-python-vuln
Feb 11, 2026
Merged

fix(RELEASE-2180): resolve Python package vulnerabilities#648
querti merged 1 commit into
konflux-ci:mainfrom
querti:fix-python-vuln

Conversation

@querti

@querti querti commented Feb 6, 2026

Copy link
Copy Markdown
Contributor

release-service-utils contained vulnerable packages for two reasons:

  • its dependency, pubtools-pyxis pinned urllib3 to an old vulnerable version. A new version without this constraint was released and bumped in pyproject.toml
  • The supported Python version in pyproject.toml was >=3.9. Version 3.9 is no longer officially supported, which caused the uv lockfile to contain old package versions that are no longer getting updated for 3.9. It was fixed by bumping minimum Python version to 3.10.

@snyk-io

snyk-io Bot commented Feb 6, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@querti querti marked this pull request as ready for review February 6, 2026 11:06
davidmogar
davidmogar previously approved these changes Feb 10, 2026
release-service-utils contained vulnerable packages for two reasons:
- its dependency, pubtools-pyxis pinned urllib3 to an old
  vulnerable version. A new version without this constraint was
  released and bumped in pyproject.toml
- The supported Python version in pyproject.toml was >=3.9. Version
  3.9 is no longer officially supported, which caused the uv
  lockfile to contain old package versions that are no longer getting
  updated for 3.9. It was fixed by bumping minimum Python version to
  3.10.

Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
@querti

querti commented Feb 10, 2026

Copy link
Copy Markdown
Contributor Author

sorry for re-requesting review, looks like rebase dismissed it.

@seanconroy2021 seanconroy2021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@querti querti added this pull request to the merge queue Feb 11, 2026
Merged via the queue into konflux-ci:main with commit ef0fabe Feb 11, 2026
8 checks passed
@querti querti deleted the fix-python-vuln branch February 11, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants