fix: Update dependencies to address 14 Dependabot security alerts (#94)

rusiaaman · web-flow · commit 1b07024b25f4 · 2026-01-27T12:54:21.000+05:30
* fix: update dependencies to address security vulnerabilities

Security fixes for Dependabot alerts:
- mcp: 1.9.2 -&gt; 1.26.0 (fixes CVE for DNS rebinding, DoS vulnerabilities)
- filelock: 3.18.0 -&gt; 3.20.3 (fixes TOCTOU symlink vulnerabilities)
- starlette: 0.46.2 -&gt; 0.50.0 (fixes Range header DoS, multipart DoS)
- python-multipart: 0.0.20 -&gt; 0.0.22 (fixes arbitrary file write)
- urllib3: removed (no longer needed as transitive dep)
- requests: removed (no longer needed as transitive dep)

Updated pyproject.toml to require mcp&gt;=1.23.0 (was &gt;=1.7.0).
All 63 tests pass.

* fix: resolve mypy strict errors after dependency upgrades

- Remove redundant cast(Diff, ...) in repo_context.py (pygit2 types improved)
- Add None check for patch iteration in repo_context.py
- Remove unused 'cast' and 'Diff' imports
- Remove obsolete type: ignore comments in bash_state.py (pexpect types improved)
diff --git a/pyproject.toml b/pyproject.toml
@@ -26,7 +26,7 @@ dependencies = [
     "psutil>=7.0.0",
     "tree-sitter>=0.24.0",
     "tree-sitter-bash>=0.23.3",
-    "mcp>=1.7.0",
+    "mcp>=1.23.0",
     "wcmatch>=10.1",
 ]
 
diff --git a/src/wcgw/client/bash_state/bash_state.py b/src/wcgw/client/bash_state/bash_state.py
@@ -382,7 +382,7 @@ def start_shell(
     try:
         shell = pexpect.spawn(
             cmd,
-            env=overrideenv,  # type: ignore[arg-type]
+            env=overrideenv,
             echo=True,
             encoding="utf-8",
             timeout=CONFIG.timeout,
@@ -398,7 +398,7 @@ def start_shell(
 
         shell = pexpect.spawn(
             "/bin/bash --noprofile --norc",
-            env=overrideenv,  # type: ignore[arg-type]
+            env=overrideenv,
             echo=True,
             encoding="utf-8",
             timeout=CONFIG.timeout,
diff --git a/src/wcgw/client/repo_ops/repo_context.py b/src/wcgw/client/repo_ops/repo_context.py
@@ -1,9 +1,9 @@
 import os
 from collections import deque
 from pathlib import Path  # Still needed for other parts
-from typing import Optional, cast
+from typing import Optional
 
-from pygit2 import Diff, GitError
+from pygit2 import GitError
 from pygit2.enums import SortMode
 from pygit2.repository import Repository
 
@@ -111,13 +111,15 @@ def get_recent_git_files(repo: Repository, count: int = 10) -> list[str]:
             # If we have a parent, get the diff between the commit and its parent
             if commit.parents:
                 parent = commit.parents[0]
-                diff = cast(Diff, repo.diff(parent, commit))
+                diff = repo.diff(parent, commit)
             else:
                 # For the first commit, get the diff against an empty tree
                 diff = commit.tree.diff_to_tree(context_lines=0)
 
             # Process each changed file in the diff
             for patch in diff:
+                if patch is None:
+                    continue
                 file_path = patch.delta.new_file.path
 
                 # Skip if we've already seen this file or if the file was deleted
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ dependencies = [`
`26`	`26`	`"psutil>=7.0.0",`
`27`	`27`	`"tree-sitter>=0.24.0",`
`28`	`28`	`"tree-sitter-bash>=0.23.3",`
`29`		`- "mcp>=1.7.0",`
	`29`	`+ "mcp>=1.23.0",`
`30`	`30`	`"wcmatch>=10.1",`
`31`	`31`	`]`
`32`	`32`