Skip to content

[pre-commit.ci] pre-commit autoupdate#104

Merged
amrit110 merged 4 commits intomainfrom
pre-commit-ci-update-config
Apr 21, 2026
Merged

[pre-commit.ci] pre-commit autoupdate#104
amrit110 merged 4 commits intomainfrom
pre-commit-ci-update-config

Conversation

@pre-commit-ci
Copy link
Copy Markdown
Contributor

@pre-commit-ci pre-commit-ci Bot commented Apr 20, 2026

@amrit110
Copy link
Copy Markdown
Member

amrit110 commented Apr 21, 2026

Security Vulnerability — Partial Fix Applied

aieng-bot fixed 3 of 4 vulnerable packages. One vulnerability cannot be auto-fixed because of a hard pin in a dependency:

✅ Fixed

Package Old Version New Version Vulnerability
pypdf 6.10.0 ≥6.10.2 GHSA-jj6c-8h6c-hppx, GHSA-4pxv-j86v-mhcw, GHSA-7gw9-cf7v-778f, GHSA-x284-j5p8-9c5p (DoS via crafted PDFs)
google-adk 1.23.0 ≥1.28.1 CVE-2026-4810 (code injection / missing authentication)
python-multipart 0.0.22 ≥0.0.26 CVE-2026-40347 (DoS via crafted multipart preamble/epilogue)

❌ Cannot Fix — No Patch Available

Package Version Vulnerability Status
authlib 1.6.9 GHSA-jj8c-mmj3-mmgv Blocked: aieng-platform-onboard (all versions ≤0.6.5) pins authlib==1.6.9 exactly

Why this cannot be auto-fixed

aieng-platform-onboard>=0.6.3 requires authlib==1.6.9 (exact pin), which conflicts with the patched version authlib>=1.6.11. Upgrading authlib is impossible until aieng-platform-onboard releases a new version relaxing this pin.

Recommended next steps

  1. Open an issue / PR against aieng-platform-onboard to update its authlib constraint to >=1.6.11
  2. Once aieng-platform-onboard releases a compatible version, re-run aieng-bot to apply the final fix
  3. As a temporary workaround, add GHSA-jj8c-mmj3-mmgv to the ignore-vulns list in .github/workflows/code_checks.yml with a justification comment (requires human review)

This PR will not be auto-merged until the authlib vulnerability is resolved.

pre-commit-ci Bot and others added 2 commits April 21, 2026 18:01
@pre-commit-ci
[pre-commit.ci] pre-commit autoupdate
cbe2c14 
updates:
- [github.com/astral-sh/uv-pre-commit: 0.11.6 → 0.11.7](astral-sh/uv-pre-commit@0.11.6...0.11.7)
- [github.com/astral-sh/ruff-pre-commit: v0.15.10 → v0.15.11](astral-sh/ruff-pre-commit@v0.15.10...v0.15.11)
chore: bump vulnerable packages to patched versions
c02614a 
- pypdf >=6.10.0 → >=6.10.2: fixes GHSA-jj6c-8h6c-hppx, GHSA-4pxv-j86v-mhcw,
  GHSA-7gw9-cf7v-778f, GHSA-x284-j5p8-9c5p (DoS via crafted PDFs)
- google-adk >=1.23.0 → >=1.28.1: fixes CVE-2026-4810 (code injection /
  missing auth)
- python-multipart >=0.0.26: fixes CVE-2026-40347 (DoS via crafted
  multipart preamble/epilogue)

authlib (GHSA-jj8c-mmj3-mmgv) cannot be patched: aieng-platform-onboard
pins authlib==1.6.9 exactly, blocking the upgrade to >=1.6.11.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 force-pushed the pre-commit-ci-update-config branch from 1f71fd3 to c02614a Compare April 21, 2026 18:02
aieng-bot[bot] added 2 commits April 21, 2026 18:06
Fix CI failures: pin langfuse<4.0.0 and resolve merge conflicts
4898308 
- Pin langfuse to <4.0.0 to prevent breaking API changes in 4.x
- Resolve merge conflicts in pyproject.toml files (prefer detailed comments)
- Regenerate uv.lock with compatible langfuse 3.x

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
Fix CI: pin html-to-markdown<3.0.0 to prevent breaking API change
0b716b9 
html-to-markdown 3.x returns ConversionResult instead of str,
breaking web.py which expects string-like objects.

Co-authored-by: aieng-bot <aieng-bot@vectorinstitute.ai>
@amrit110 amrit110 merged commit 1ed5382 into main Apr 21, 2026
3 checks passed
@amrit110 amrit110 deleted the pre-commit-ci-update-config branch April 21, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amrit110