Bundle dependency updates, harden Dependabot reviews by lelia · Pull Request #207 · SocketDev/socket-python-cli

lelia · 2026-05-29T02:37:07Z

Summary

A maintenance-focused PR with two threads:

Bundle dependency updates — twelve outstanding Dependabot PRs (nine main-app uv deps + three e2e fixture manifests), all verified through Socket Firewall (sfw) before bundling. idna 3.11 → 3.15 is security-motivated — pulls in the fix for CVE-2026-45409 (a quadratic-time DoS that bypassed the earlier CVE-2024-3651 mitigation); the rest are version-currentness hygiene.
Harden Dependabot review — the repo had no explicit dependabot.yml (hence the pileup). Adds grouped/cooldowned Dependabot config, a dependabot-review workflow that runs anonymous Socket Firewall smoke jobs on every Dependabot PR (no API secret required), and lock-drift / import-smoke / pip-audit guards to python-tests.

Dependencies (closes 12 Dependabot PRs)

PR	Package	Bump	Notes
#205	idna	3.11 → 3.15	CVE-2026-45409 fix
#210	uv	0.9.21 → 0.11.17	latest (Dependabot targeted 0.11.15)
#200	urllib3	2.6.3 → 2.7.0
#198	gitpython	3.1.46 → 3.1.50
#190	python-dotenv	1.2.1 → 1.2.2
#188	pytest	9.0.2 → 9.0.3
#181	cryptography	46.0.5 → 46.0.7
#177	pygments	2.19.2 → 2.20.0
#175	requests	2.32.5 → 2.33.0
#209	axios (e2e/simple-npm)	1.15.0 → 1.16.1	latest (Dependabot targeted 1.16.0)
#187	requests (e2e/simple-pypi)	2.31.0 → 2.33.0
#186	flask (e2e/simple-pypi)	3.0.0 → 3.1.3

All twelve final versions installed clean through sfw (Socket Firewall Free) across the full transitive tree.

Dependabot review hardening

.github/dependabot.yml (new). Groups Python minor/patch into a weekly PR plus a separate major-update PR; groups GitHub Actions; tracks Docker separately; 7-day cooldown. The e2e fixtures under tests/e2e/fixtures/ are excluded by omission (no ecosystem registered against those paths) — fixture pins should be chosen for supply-chain signal, not auto-rolled. Pattern adapted from SocketDev/socket-basics.
.github/workflows/dependabot-review.yml (new). On every Dependabot PR: inspect changed files, then conditionally run Socket Firewall (sfw) install smoke jobs against the affected manifests. sfw uses the anonymous Socket public-data path — no API key, so this runs under the standard pull_request context with no pull_request_target and no token-leak surface. The key property that makes it safe for fork / Dependabot / external-contributor PRs.
python-tests.yml gains: uv lock --locked drift check, top-level import smoke (catches API-removal breaks from upgraded deps), and pip-audit on the locked deps.
e2e-test.yml now skips on Dependabot PRs (no SOCKET_CLI_API_TOKEN access); the sfw smoke jobs cover the supply-chain check without the secret.

Housekeeping

.gitignore reorganized into labeled, sorted sections; added .context/, coverage.xml, .pytest_cache/, vim swap files. Dropped a stray `*.cpython-312.pyc`` line with a literal-backtick typo.
Backfilled missing CHANGELOG entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, 2.2.91, and 2.2.92.

Test plan

Automated (local, all green):

Full unit + core suite — 242 passed, 2 pre-existing skips
uv lock --locked drift check
Top-level import smoke across upgraded packages
Socket Firewall install path for all final dependency versions

Pending on the PR:

CI: python-tests + e2e-test + dependabot-review workflows

socket-security-staging · 2026-05-29T02:37:39Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
pypi/pytest@9.0.2 ⏵ 9.0.3	⁺¹	⁺²
pypi/gitpython@3.1.46 ⏵ 3.1.50		⁺⁵⁰
pypi/python-dotenv@1.2.1 ⏵ 1.2.2	⁺¹	⁺²
pypi/requests@2.32.5 ⏵ 2.33.0	⁺¹	⁺²
pypi/uv@0.9.21 ⏵ 0.11.17	⁺¹	⁺³

View full report

github-actions · 2026-05-29T02:37:47Z

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.93.dev4

Docker image: socketdev/cli:pr-207

socket-security · 2026-05-29T02:37:55Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability
pypi/pytest@9.0.2 ⏵ 9.0.3	⁺¹	⁺²
pypi/gitpython@3.1.46 ⏵ 3.1.50		⁺⁵⁰
pypi/python-dotenv@1.2.1 ⏵ 1.2.2	⁺¹	⁺²
pypi/requests@2.32.5 ⏵ 2.33.0	⁺¹	⁺²
pypi/uv@0.9.21 ⏵ 0.11.17	⁺¹	⁺³

View full report

Reorganizes .gitignore into labeled sections (Python cache, venvs, build artifacts, IDE, OS, logs, env files, generated output, project scratch, Conductor) with sorted entries within each group and trailing slashes on directory patterns for clarity. Folds in three smaller intents that would otherwise be separate commits: - Add .context/ for Conductor workspaces (collaboration scratch) - Add coverage.xml + .pytest_cache/ to fully cover pytest-cov outputs (.coverage.* and htmlcov/ were already on main from prior work) - Add *.swp / *.swo for vim swap files Drops the stale `*.cpython-312.pyc\`` line with a literal-backtick typo; it wasn't matching anything and `*.pyc` already covers the case. No behavior changes anyone would notice from the resulting rule set. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

The repo had no explicit Dependabot config, so Dependabot ran on full defaults: one PR per package per manifest, across every manifest in the tree -- including the e2e test fixtures that are intentionally crafted to exercise Socket's scanner. The cumulative result was the "PR pileup" this PR is consolidating. New config: - uv ecosystem (main app): grouped weekly into ONE minor/patch PR and one major PR; matches the existing python:uv labeling - github-actions: grouped weekly into ONE minor/patch PR - docker: separate weekly PR per Dockerfile change - 7-day cooldown across all ecosystems to give upstream time to pull bad releases - e2e fixtures (tests/e2e/fixtures/{simple-npm,simple-pypi}) are INTENTIONALLY excluded -- their pins should be chosen for supply- chain signal, not auto-bumped (this is why we had three fixture PRs in the cleanup) Pattern adapted from SocketDev/socket-basics. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

For every Dependabot-authored PR, inspect what changed and conditionally run Socket Firewall (sfw) install smoke jobs against the affected manifests. Because sfw uses the anonymous Socket public-data API it needs NO secret, so this runs cleanly under the standard `pull_request` context -- no pull_request_target, no token-leak surface. Jobs (all conditional on file diff): - python-sfw-smoke: pyproject.toml / uv.lock -> `sfw uv sync` plus an import smoke on the modules that depend on the upgraded packages (cryptography, gitpython, requests, ...). Catches API-removal breaks from minor/patch deprecations. - fixture-npm-sfw-smoke: tests/e2e/fixtures/simple-npm/** -> `sfw npm install` in a clean cwd. - fixture-pypi-sfw-smoke: tests/e2e/fixtures/simple-pypi/** -> `sfw pip install -r requirements.txt` in a clean venv. - dockerfile-smoke: `docker build --pull` (no push) when the Dockerfile changes. - workflow-notice: Flag Dependabot PRs that touch workflow or dependabot config files for explicit human review (anti-supply-chain-confusion guardrail). Pattern adapted from SocketDev/socket-basics dependabot-review.yml. Action SHAs match the pins already in python-tests.yml and e2e-test.yml so zizmor stays happy. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Eric Hibbs (flowstate)

LGTM, will re-review if the unit test fixes involve real changes

python-tests.yml: - `uv lock --locked` -- fails if uv.lock has drifted from pyproject.toml. Prevents the "forgot to commit the lockfile" class of mistake. - Import smoke step that loads every top-level module touching the upgraded packages (cryptography, gitpython, requests, urllib3, ...). Catches API-removal breaks from minor/patch deprecations that the unit suite alone wouldn't surface. - `uvx pip-audit --strict` against the synced env -- light CVE check on the resolved transitive tree. Runs in seconds via uv's caching. e2e-test.yml: - Skip e2e on Dependabot PRs. They don't have access to the Socket API secret so e2e would always fail on them, polluting the PR check UI. Supply-chain risk for dep bumps is covered by dependabot-review.yml's Socket Firewall smoke jobs, which need no secrets. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

`uvx pip-audit --disable-pip` requires `-r` plus either hashed requirements or `--no-deps`. The previous invocation crashed at start. Now: export the locked deps via `uv export --no-hashes --no-emit-project` into a tmp requirements file (skipping the local editable install of the project itself), then feed that to pip-audit with `--disable-pip --no-deps`. Verified locally -- no known vulnerabilities found across the 85 locked transitive deps. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Bundles the nine open Dependabot PRs against the main app into a single uv.lock regeneration. Where Dependabot's target trailed the latest published release, we went to the current latest and re-verified through sfw: - urllib3 2.6.3 -> 2.7.0 (closes #200) - gitpython 3.1.46 -> 3.1.50 (closes #198) - python-dotenv 1.2.1 -> 1.2.2 (closes #190) - pytest 9.0.2 -> 9.0.3 (closes #188) - uv 0.9.21 -> 0.11.17 (closes #210; Dependabot targeted 0.11.15) - cryptography 46.0.5 -> 46.0.7 (closes #181) - pygments 2.19.2 -> 2.20.0 (closes #177) - requests 2.32.5 -> 2.33.0 (closes #175) - idna 3.11 -> 3.15 (closes #205, CVE-2026-45409) idna 3.14 fixed CVE-2026-45409 -- a quadratic-time DoS via oversized inputs that bypassed the earlier CVE-2024-3651 mitigation. The rest are hygiene. All nine final versions verified clean through Socket Firewall (sfw) on the full transitive tree. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Closes the open Dependabot PRs against the e2e test fixtures. axios went to the current latest (1.16.1) rather than Dependabot's 1.16.0 target: - tests/e2e/fixtures/simple-npm: axios 1.15.0 -> 1.16.1 (closes #209) - tests/e2e/fixtures/simple-pypi: requests 2.31.0 -> 2.33.0 (closes #187) - tests/e2e/fixtures/simple-pypi: flask 3.0.0 -> 3.1.3 (closes #186) These fixtures were stale rather than intentionally pinned. Socket Firewall verified the install paths. The new .github/dependabot.yml intentionally excludes tests/e2e/fixtures/** from future auto-bumps. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

Patch release. Scope is maintenance only: dependency bundle + Dependabot review hardening + housekeeping + CHANGELOG backfill. No behavior changes. Targets 2.2.93 (not 2.2.92) to stay ahead of an in-flight 2.2.92 bug-fix release landing separately. CHANGELOG: 2.2.93 entry for this PR, plus backfilled entries for 2.2.81, 2.2.85, 2.2.86, 2.2.88, 2.2.89, and 2.2.91 (the #180 backfill covered 2.2.74-2.2.80; main reached 2.2.91 via #199 without a CHANGELOG note). Version refs synced across pyproject.toml, socketsecurity/__init__.py, and uv.lock per the version-incrementation CI check. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

…xit-handling Resolve conflicts: - pyproject.toml / __init__.py / uv.lock: keep 2.3.0 (supersedes main's 2.2.93) - CHANGELOG.md: keep both — 2.3.0 on top, then 2.2.93/2.2.92/2.2.91 from main Dependency bumps from #207 (idna 3.15, urllib3, etc.) carried through; uv lock --check passes. Signed-off-by: lelia <2418071+lelia@users.noreply.github.com>

lelia requested a review from a team as a code owner May 29, 2026 02:37

lelia added 3 commits May 29, 2026 17:14

lelia force-pushed the lelia/bundle-deps-harden-dependabot branch from 8717be9 to 4663c2a Compare May 29, 2026 21:17

Eric Hibbs (flowstate) approved these changes May 29, 2026

View reviewed changes

lelia added 4 commits May 29, 2026 17:42

lelia force-pushed the lelia/bundle-deps-harden-dependabot branch 2 times, most recently from b3c92a0 to f21851f Compare May 29, 2026 21:43

lelia force-pushed the lelia/bundle-deps-harden-dependabot branch from f21851f to 0df3247 Compare May 29, 2026 21:52

lelia merged commit 6969361 into main May 29, 2026
21 checks passed

lelia mentioned this pull request May 29, 2026

Dependabot hardening: Fix CI checks, adopt sfw-action #217

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bundle dependency updates, harden Dependabot reviews#207

Bundle dependency updates, harden Dependabot reviews#207
lelia merged 8 commits into
mainfrom
lelia/bundle-deps-harden-dependabot

lelia commented May 29, 2026 •

edited

Loading

Uh oh!

socket-security-staging Bot commented May 29, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 29, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 29, 2026 •

edited

Loading

Uh oh!

Eric Hibbs (flowstate) left a comment •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

lelia commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Dependencies (closes 12 Dependabot PRs)

Dependabot review hardening

Housekeeping

Test plan

Uh oh!

socket-security-staging Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented May 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Eric Hibbs (flowstate) left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

lelia commented May 29, 2026 •

edited

Loading

socket-security-staging Bot commented May 29, 2026 •

edited

Loading

github-actions Bot commented May 29, 2026 •

edited

Loading

socket-security Bot commented May 29, 2026 •

edited

Loading

Eric Hibbs (flowstate) left a comment •

edited

Loading