Conversation
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
mrsabath
left a comment
mrsabath
left a comment
There was a problem hiding this comment.
Review Summary
Good CVE remediation PR bumping indirect dependency floors across 9 examples. Addresses CVE-2026-32871 (fastmcp), CVE-2026-34070 (langchain-core), CVE-2025-62727 (starlette), and CVE-2026-26007 (cryptography). Nice CVE comment annotations on each pin.
One issue: duplicate fastmcp entry in mcp/movie_tool/pyproject.toml.
Areas reviewed: Python (pyproject.toml dependency pins), lock files (spot-checked)
Commits: 2 commits, all signed-off ✓
CI status: All checks passing ✓
| "fastmcp>=2.11.0", | ||
| "requests>=2.32.3", | ||
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Duplicate fastmcp dependency — the existing "fastmcp>=2.11.0" on line 8 is still present, and this adds a second "fastmcp>=3.2.0" entry. uv resolves to the higher bound so it works, but having two entries for the same package is incorrect.
Please update the existing line 8 entry to >=3.2.0 (with the CVE comment) and remove this duplicate.
2 participants
Summary
This PR resolves some Critical CVEs reported by Dependabot for this repo.