Skip to content

Migrate to uv, fix Dependabot vulnerabilities, upgrade deps#176

Open
dimoschi wants to merge 6 commits intomainfrom
security/dependabot-vulnerability-fixes
Open

Migrate to uv, fix Dependabot vulnerabilities, upgrade deps#176
dimoschi wants to merge 6 commits intomainfrom
security/dependabot-vulnerability-fixes

Conversation

@dimoschi
Copy link
Contributor

@dimoschi dimoschi commented Mar 24, 2026

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply.

  • Bugfix (non-breaking change which fixes an issue).
  • New feature (non-breaking change which adds functionality).
  • Breaking change (fix or feature that would cause existing functionality not to work as expected).
  • Documentation Update (if none of the other choices applies).

Proposed changes

  • Migrate from poetry to uv: Convert pyproject.toml to PEP 621 format, replace poetry.lock with uv.lock. Export requirements.txt for Dependabot compatibility.
  • Fix Dependabot vulnerabilities: Pin aiohttp>=3.13.3 (8 alerts) and urllib3>=2.6.3 (3 alerts) as direct dependencies. The asyncmy critical alert (CVE-2025-65896) has no upstream fix, but the codebase is safe due to exclusive SQLAlchemy ORM usage (no raw SQL with user-controlled dict keys).
  • Update Dockerfiles: Switch base image to astral/uv:python3.13-bookworm-slim, collapse to single build stage, replace poetry install with uv sync.
  • Update CI workflows: Replace poetry with uv in test workflow. Add sync-requirements job to auto-export requirements.txt on lock changes. Pin all GitHub Actions to commit SHAs.
  • Fix test compatibility: Add colors field to role mock data for py-cord 2.7.
  • Upgrade safe dependencies: Bump prometheus-client (0.16->0.24), flake8-bugbear (23.12->24.12), pep8-naming (0.13->0.15), pre-commit (3.8->4.5).

Checklist

Put an x in the boxes that apply.

  • I have read and followed the CONTRIBUTING.md
    doc.
  • Lint and unit tests pass locally with my changes.
  • I have added the necessary documentation (if appropriate).

Additional context

All 227 tests pass. Docker base image builds successfully. Remaining outdated packages (pydantic v1, pytest, fastapi, hypercorn, ipython, flake8) are held back by tight upper bounds and would require separate migration efforts.

dimoschi and others added 6 commits March 24, 2026 09:20
@dimoschi
feat: migrate from poetry to uv and pin vulnerable dependencies
89ac865 
Migrate project from poetry to uv (PEP 621 format). Add aiohttp>=3.13.3
and urllib3>=2.6.3 as direct dependencies to address Dependabot alerts.
Export requirements.txt for continued Dependabot scanning.
@dimoschi
feat: update Dockerfiles for uv
d2a6ab0 
Switch base image to astral/uv:python3.13-bookworm-slim, collapse to
single stage, replace poetry install with uv sync. Update .dockerignore
to include uv.lock instead of poetry.lock.
@dimoschi
feat: update CI workflows for uv and pin actions to SHA
5172ebc 
Replace poetry with uv in test workflow. Add sync-requirements job to
build workflow for Dependabot compatibility. Pin all GitHub Actions to
commit SHAs.
@dimoschi
fix: add colors field to role mock data for py-cord 2.7 compatibility
ab7d0ef 
py-cord 2.7 requires a 'colors' key in role payload data. Add it to
role_data in test helpers to fix test suite import failure.
@dimoschi
chore: loosen upper bounds and upgrade safe dependencies
effa289 
Bump prometheus-client 0.16->0.24, flake8-bugbear 23.12->24.12,
pep8-naming 0.13->0.15, pre-commit 3.8->4.5. No breaking changes
for current usage patterns.
@github-actions
Update requirements.txt from uv.lock
e6e7f74
@dimoschi dimoschi requested a review from makelarisjr as a code owner March 24, 2026 07:55
@codecov
Copy link

codecov bot commented Mar 24, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.74%. Comparing base (0f08c66) to head (e6e7f74).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #176   +/-   ##
=======================================
  Coverage   61.74%   61.74%           
=======================================
  Files          50       50           
  Lines        2941     2941           
=======================================
  Hits         1816     1816           
  Misses       1125     1125

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@makelarisjr makelarisjr Awaiting requested review from makelarisjr makelarisjr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dimoschi