Skip to content

Bump aieng-platform-onboard from 0.4.0 to 0.6.5#101

Merged
amrit110 merged 2 commits into
mainfrom
dependabot/uv/aieng-platform-onboard-0.6.5
May 4, 2026
Merged

Bump aieng-platform-onboard from 0.4.0 to 0.6.5#101
amrit110 merged 2 commits into
mainfrom
dependabot/uv/aieng-platform-onboard-0.6.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 1, 2026

Bumps aieng-platform-onboard from 0.4.0 to 0.6.5.

Release notes

Sourced from aieng-platform-onboard's releases.

aieng-platform-onboard v0.6.4

What's Changed

Full Changelog: VectorInstitute/aieng-platform@v0.6.3...v0.6.4

aieng-platform-onboard v0.6.3

What's Changed

Full Changelog: VectorInstitute/aieng-platform@v0.6.2...v0.6.3

v0.6.2

What's Changed

Full Changelog: VectorInstitute/aieng-platform@v0.6.1...v0.6.2

aieng-platform-onboard v0.6.1

What's Changed

Full Changelog: VectorInstitute/aieng-platform@v0.6.0...v0.6.1

aieng-platform-onboard v0.6.0

What's Changed

Full Changelog: VectorInstitute/aieng-platform@v0.5.4...v0.6.0

v0.5.4

Full Changelog: VectorInstitute/aieng-platform@v0.5.3...v0.5.4

aieng-platform-onboard v0.5.3

What's Changed

... (truncated)

Commits
  • c6b9eb0 ci: switch to PyPI Trusted Publishers and bump to v0.6.5
  • 9b28fcb [pre-commit.ci] pre-commit autoupdate (#85)
  • 84078e8 [pre-commit.ci] pre-commit autoupdate (#84)
  • 6a8e906 Bump up package to 0.6.4
  • 98574a2 Add offboard cmd for coder as well (#83)
  • 79bf027 [pre-commit.ci] pre-commit autoupdate (#82)
  • 418ab80 [pre-commit.ci] pre-commit autoupdate (#81)
  • b8a27ab Style template icons in analytics dashboard
  • bc44333 Fetch template icons (#80)
  • 8c3b6a4 Merge branch 'main' of github.com:VectorInstitute/aieng-platform
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump aieng-platform-onboard from 0.4.0 to 0.6.5
86f9795 
Bumps [aieng-platform-onboard](https://github.com/VectorInstitute/aieng-platform) from 0.4.0 to 0.6.5.
- [Release notes](https://github.com/VectorInstitute/aieng-platform/releases)
- [Commits](VectorInstitute/aieng-platform@v0.4.0...v0.6.5)

---
updated-dependencies:
- dependency-name: aieng-platform-onboard
  dependency-version: 0.6.5
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels May 1, 2026
@amrit110
Copy link
Copy Markdown
Member

amrit110 commented May 2, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because the vulnerable package version is pinned by an upstream dependency that has not yet released a fix:

Package Version Vulnerability Status
authlib 1.6.9 GHSA-jj8c-mmj3-mmgv Blocked by upstream pin

Why this cannot be auto-fixed

A patched version of authlib (1.6.11) exists on PyPI, but aieng-platform-onboard==0.6.5 (the package this PR is bumping to) pins authlib==1.6.9 exactly in its own dependencies. There is no newer version of aieng-platform-onboard on PyPI (0.6.5 is the latest) that relaxes this pin.

Upgrading authlib directly in this project conflicts with aieng-platform-onboard==0.6.5's exact pin, making the dependency resolution unsatisfiable.

Recommended next steps

  1. File an issue with the aieng-platform-onboard maintainers requesting they update their authlib pin to >=1.6.11
  2. Once a new version of aieng-platform-onboard is released with the updated authlib pin, dependabot will open a new PR that aieng-bot can merge automatically
  3. Consider whether a temporary pip-audit ignore exception for GHSA-jj8c-mmj3-mmgv is appropriate while waiting for upstream (requires human review and approval)

This PR will not be auto-merged until the vulnerability is resolved.

@amrit110
Copy link
Copy Markdown
Member

amrit110 commented May 3, 2026

Security Vulnerability — No Patch Available Yet

aieng-bot found the following security vulnerabilities reported by pip-audit, but cannot fix them automatically because no compatible patched version is available:

Package Version Vulnerability Status
authlib 1.6.9 GHSA-jj8c-mmj3-mmgv No fix available — upstream pin blocks upgrade

Why this cannot be auto-fixed

aieng-platform-onboard==0.6.5 (the package this PR upgrades to) has an exact pin on authlib==1.6.9. While authlib 1.6.11 exists on PyPI and fixes this CSRF vulnerability, it is incompatible with aieng-platform-onboard==0.6.5's strict pin. There is no higher version of aieng-platform-onboard currently available on PyPI that relaxes this constraint.

A fix requires the aieng-platform-onboard maintainers to release a new version that allows authlib>=1.6.11.

Recommended next steps

  1. Contact the aieng-platform-onboard maintainers to request a release that bumps the authlib pin to >=1.6.11
  2. Once a compatible release is published to PyPI, Dependabot can re-run and aieng-bot can auto-merge
  3. Consider whether a pip-audit ignore exception for GHSA-jj8c-mmj3-mmgv can be added temporarily with justification (requires human review)

This PR will not be auto-merged until the vulnerability is resolved.

chore: bump authlib to >=1.6.11 to fix GHSA-jj8c-mmj3-mmgv
dc59496 
Override aieng-platform-onboard's exact authlib==1.6.9 pin using
uv override-dependencies to resolve the CSRF vulnerability in authlib's
OAuth cache feature. Authlib resolved to 1.7.0.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 merged commit 2527b37 into main May 4, 2026
7 checks passed
@amrit110 amrit110 deleted the dependabot/uv/aieng-platform-onboard-0.6.5 branch May 4, 2026 01:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110