Fix security vulnerabilities #1

Merged

irfan merged 11 commits from security-fix into master 2025-12-31 15:28:40 +08:00

Conversation 0 Commits 11 Files changed 3 +21 -26

irfan commented 2025-12-31 13:16:16 +08:00

Owner

Copy link

Changes

• Upgrade base image dim to 0.4.0-stable-r1 with upgrades to address security vulnerability reports
• Upgraded libraries to address security vulnerability reports: h11, redis, cryptography
• Upgraded atproto and its dependencies to meet cryptography version constraints
• backports.zoneinfo is only included to be installed for python versions < 3.9
• Removed build step in alpine that is no longer needed in the newer included python version

Related issues/PRs

• irfan/dim#1

# Changes - Upgrade base image `dim` to `0.4.0-stable-r1` with upgrades to address security vulnerability reports - Upgraded libraries to address security vulnerability reports: `h11`, `redis`, `cryptography` - Upgraded `atproto` and its dependencies to meet `cryptography` version constraints - `backports.zoneinfo` is only included to be installed for python versions < `3.9` - Removed build step in alpine that is no longer needed in the newer included python version # Related issues/PRs - https://git.moekai.net/irfan/dim/pulls/1

irfan added 9 commits 2025-12-31 13:16:17 +08:00

Upgrade requests by inheriting from base image ... 7790264373

Fixes security vulnerabilities:

- CVE-2025-66471
- CVE-2025-66418
- CVE-2024-47081
- CVE-2025-50181
- CVE-2025-50182

backports.zoneinfo is only needed in python < 3.9 6afb26e444

Upgrade redis to 7.1.0 ... d0e673f5d4

Fixes security vulnerabilities:

- CVE-2023-28858
- CVE-2023-28859

Upgrade h11 to 0.16.0 ... 73df0c08ef

Fixes CVE-2025-43859

Upgrade cryptography to 46.0.3 ... 6eb39bbaae

Fixes CVE-2024-12797

Upgrade atproto to 0.0.65 to meet cryptography constraints ... b47f4394cc

atproto 0.0.55 constraint: cryptography >=41.0.7, <44

Upgrade atproto 0.0.65 dependencies ... 5d2fa0ca77

Includes new dependency: typing-inspection

Remove step needed for old python 3.8 b676df3913

Use typing-extensions already bundled in dim 482e4c754d

irfan added the

bug

enhancement

labels 2025-12-31 13:17:05 +08:00

irfan added 1 commit 2025-12-31 15:21:54 +08:00

Remove commented libs from requirements cab2a7e0e2

irfan added 1 commit 2025-12-31 15:27:17 +08:00

Upgrade base image dim to 0.4.0-stable-r1 0e712577cd

irfan merged commit 9f75c9e86e into master 2025-12-31 15:28:40 +08:00

irfan referenced this pull request from a commit 2025-12-31 15:28:41 +08:00

Merge pull request 'Fix security vulnerabilities' (#1) from security-fix into master

irfan deleted branch security-fix 2025-12-31 15:28:45 +08:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

irfan/mango!1

No description provided.