Skip to content

fix(build): remediate CVEs, enforce equality pinning, repair Dependabot config#391

Merged
WilliamBerryiii merged 10 commits into
mainfrom
fix/cve-remediation-dependabot-config
Apr 7, 2026
Merged

fix(build): remediate CVEs, enforce equality pinning, repair Dependabot config#391
WilliamBerryiii merged 10 commits into
mainfrom
fix/cve-remediation-dependabot-config

Conversation

@WilliamBerryiii
Copy link
Copy Markdown
Member

@WilliamBerryiii WilliamBerryiii commented Apr 5, 2026

Description

Resolved 5 open CVEs, enforced strict equality (==) pinning across all 6 Python workspaces and exact semver pinning across all 3 npm workspaces, and repaired the Dependabot configuration to reflect current repository structure. Hardened the dependency pinning CI scanner to correctly validate pip ecosystems and fixed its dot-source guard that prevented standalone execution.

Closes #390

Type of Change

  • 🐛 Bug fix (non-breaking change fixing an issue)
  • ✨ New feature (non-breaking change adding functionality)
  • 💥 Breaking change (fix or feature causing existing functionality to change)
  • 📚 Documentation update
  • 🏗️ Infrastructure change (Terraform/IaC)
  • ♻️ Refactoring (no functional changes)

Component(s) Affected

  • infrastructure/terraform/prerequisites/ - Azure subscription setup
  • infrastructure/terraform/ - Terraform infrastructure
  • infrastructure/setup/ - OSMO control plane / Helm
  • workflows/ - Training and evaluation workflows
  • training/ - Training pipelines and scripts
  • docs/ - Documentation

Changes

CVE Remediation

Addressed 5 CVEs across Python and npm ecosystems:

  • Overrode lodash to 4.17.21 in root package-lock.json to resolve prototype pollution (CVE-2024-28863)
  • Pinned next to 15.2.4, prismjs to 1.30.0, nanoid to 3.3.9 via exact versions in docs/docusaurus/package.json
  • Pinned numpy to ==2.4.x and azure-identity to ==1.23.0+ across affected pyproject.toml files
  • Added qs override (6.14.2) in root package.json to resolve request smuggling vulnerability

Equality Pinning Enforcement

Converted all dependency version specifiers to strict equality:

  • 6 pyproject.toml files: replaced >=, ~=, and range operators with == across 28+ dependencies in data-management/viewer/backend/pyproject.toml alone, plus evaluation/, training/il/lerobot/, training/rl/, root, and data-management/viewer/
  • 3 package.json files: removed ^ and ~ range operators in data-management/viewer/frontend/, docs/docusaurus/, and root
  • Regenerated all 6 lockfiles (uv.lock × 3, package-lock.json × 3) to reflect pinned versions

Dependabot Configuration Repair

Rewrote .github/dependabot.yml from 12 entries (several invalid) to 14 valid entries:

  • Replaced pip ecosystem references with uv for all Python workspaces
  • Fixed stale directory paths that no longer matched repository structure
  • Added root npm ecosystem entry that was missing
  • Removed invalid docker ecosystem entry

CI Scanner Hardening

Updated shared/ci/security/Test-DependencyPinning.ps1 with 4 fixes:

  • Changed the dot-source guard from Write-Error + exit 1 to return, which prevented the script from being sourced by Pester
  • Added Get-PipDependencyViolations function for validating pip equality pinning in pyproject.toml and requirements.txt files
  • Updated Test-SHAPinning to apply ecosystem-specific validation patterns
  • Changed npm validation from SHA-based checks to exact semver matching

Added 4 new test fixtures in shared/ci/tests/Fixtures/Pip/ and updated the dot-source guard expectation in the Pester test file.

Workflow Update

Expanded the default dependency_types in .github/workflows/dependency-pinning-scan.yml to include github-actions,npm,pip,shell-downloads.

Testing Performed

  • Terraform plan reviewed (no unexpected changes)
  • Terraform apply tested in dev environment
  • Training scripts tested locally with Isaac Sim
  • OSMO workflow submitted successfully
  • Smoke tests passed (smoke_test_azure.py)

Additional testing performed:

  • npm audit (root): 0 vulnerabilities
  • npm audit (frontend): 0 vulnerabilities
  • npm audit (docusaurus): 25 remaining — all lodash transitive dependencies with no upstream fix available
  • uv lock --check across all 3 Python workspaces: locked and consistent
  • Pester dependency pinning scanner: 79/79 tests passing

Documentation Impact

  • No documentation changes needed
  • Documentation updated in this PR
  • Documentation issue filed

Bug Fix Checklist

  • Linked to issue being fixed
  • Regression test included, OR
  • Justification for no regression test:

Checklist

Additional Notes

25 lodash vulnerabilities remain in docs/docusaurus/package-lock.json. These are transitive dependencies of Docusaurus plugins with no safe lodash 4.x resolution available upstream. Tracked for future resolution when upstream packages update.

fix(build): remediate CVEs, enforce equality pinning, repair Dependab…
0947d69 
…ot config

- fix lodash prototype pollution CVE via overrides in root, frontend, docusaurus
- add qs override to resolve CVE in docusaurus express dependency chain
- pin all 6 pyproject.toml files to == equality versions
- pin all 3 package.json files to exact resolved versions
- regenerate all lockfiles (3 uv.lock, 3 package-lock.json)
- repair dependabot.yml from 7 broken entries to 14 valid ecosystem entries
- fix scanner dot-source guard to use return instead of exit 1 for Pester compat
- add pip fixture files for pinned/unpinned pyproject.toml and requirements.txt

🔒 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii requested a review from a team as a code owner April 5, 2026 01:07
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 5, 2026
edited
Loading

Dependency Review

The following issues were found:

  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 38 package(s) with unknown licenses.
  • ⚠️ 5 packages with OpenSSF Scorecard issues.

View full job summary

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 5, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 96.11650% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.48%. Comparing base (6ec7f19) to head (028c02d).
⚠️ Report is 38 commits behind head on main.

Files with missing lines Patch % Lines
scripts/security/Test-DependencyPinning.ps1 96.11% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #391      +/-   ##
==========================================
+ Coverage   50.27%   50.48%   +0.20%     
==========================================
  Files         267      267              
  Lines       18099    18188      +89     
  Branches     1903     1855      -48     
==========================================
+ Hits         9100     9182      +82     
- Misses       8709     8716       +7     
  Partials      290      290
Flag Coverage Δ *Carryforward flag
pester 81.21% <96.11%> (+0.28%) ⬆️
pytest 6.89% <ø> (ø) Carriedforward from 034f403
pytest-dataviewer 61.97% <ø> (ø)
vitest 50.72% <ø> (ø)

*This pull request uses carry forward flags. Click here to find out more.

Files with missing lines Coverage Δ
scripts/security/Test-DependencyPinning.ps1 78.11% <96.11%> (+3.71%) ⬆️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Bill Berry added 4 commits April 5, 2026 09:55
fix(build): resolve dependency review and pinning scan CI failures
f7b3bcf 
- add 3 lodash@4.17.21 GHSAs to dependency-review allow list (no upstream fix)
- pin evaluation Docker requirements to exact == versions
- skip self-referencing package entries in pyproject.toml scanner

🔒 - Generated by Copilot
fix(build): upgrade mlflow to 3.9.0 to resolve 7 CVEs
1ac8b1b 
- upgrade mlflow from 3.1.1 to 3.9.0 in Docker eval requirements
- fixes 3 critical and 2 high severity mlflow vulnerabilities
- 3.9.0 is latest compatible with azureml-mlflow 1.62.0.post2

🔒 - Generated by Copilot
fix(build): upgrade requests in test fixtures to resolve CVEs
b6d32b6 
- bump requests from 2.31.0 to 2.32.3 in all 4 Pester test fixtures
- resolves GHSA-9wx4-h78v-vm56, GHSA-9hjg-9r4m-mvj7, GHSA-gc5v-m9x4-r6x2

🔒 - Generated by Copilot
fix(build): upgrade requests to 2.33.1 in test fixtures
c22a59c 
- bump requests from 2.32.3 to 2.33.1 in all four pip fixture files
- resolves GHSA-9hjg-9r4m-mvj7 (.netrc credentials leak)
- resolves GHSA-gc5v-m9x4-r6x2 (insecure temp file reuse)

🔒 - Generated by Copilot
rezatnoMsirhC
rezatnoMsirhC reviewed Apr 6, 2026
View reviewed changes
Comment thread scripts/security/Test-DependencyPinning.ps1
Comment thread .github/workflows/dependency-review.yml Outdated
@WilliamBerryiii
Merge remote-tracking branch 'origin/main' into fix/cve-remediation-d…
97104e2 
…ependabot-config
@WilliamBerryiii
security(build): add per-GHSA comments and dependency-groups scanner …
2d1698b 
…support

- replace grouped comments with per-GHSA inline comments including CVE IDs
- add [dependency-groups] section detection to Test-DependencyPinning.ps1
- add pip fixture files and Pester tests for dependency-groups pinning

🔒 - Generated by Copilot
@WilliamBerryiii WilliamBerryiii force-pushed the fix/cve-remediation-dependabot-config branch from 7ecf5e3 to 2d1698b Compare April 7, 2026 01:21
WilliamBerryiii and others added 3 commits April 6, 2026 19:39
@WilliamBerryiii
fix(build): resolve merge conflict in training/rl/pyproject.toml
519811e 
- keep equality-pinned versions over Dependabot range operators from #394

🔀 - Generated by Copilot
@WilliamBerryiii
security(build): add mlflow GHSA allow-list entry and fixture exclusi…
034f403 
…on for pinning scan

- add GHSA-7qhf-v65m-g5f3 (mlflow unauthenticated job endpoints) to dependency-review allow-list
- add exclude-paths input to dependency-pinning-scan.yml wired to ExcludePaths parameter
- exclude test fixture paths in pr-validation.yml and main.yml callers

🔒 - Generated by Copilot
Merge remote-tracking branch 'origin/main' into fix/cve-remediation-d…
028c02d 
…ependabot-config

# Conflicts:
#	data-management/viewer/frontend/package-lock.json
#	data-management/viewer/frontend/package.json
@WilliamBerryiii WilliamBerryiii merged commit 0c29148 into main Apr 7, 2026
31 checks passed
@WilliamBerryiii WilliamBerryiii deleted the fix/cve-remediation-dependabot-config branch April 7, 2026 17:35
@physical-ai-toolchain-release physical-ai-toolchain-release Bot mentioned this pull request Apr 7, 2026
Merged
@WilliamBerryiii WilliamBerryiii mentioned this pull request Apr 7, 2026
Closed
WilliamBerryiii pushed a commit that referenced this pull request Apr 8, 2026
@physical-ai-toolchain-release @github-actions
chore(main): release 0.6.0 (#364)
701ee5d 
🤖 I have created a release *beep* *boop*
---


##
[0.6.0](v0.5.0...v0.6.0)
(2026-04-08)


### ✨ Features

* **build:** add terraform-docs generation pipeline
([#378](#378))
([78e90d0](78e90d0))
* **infrastructure:** enable optional AML diagnostic logs
([#400](#400))
([58dd8db](58dd8db))
* **scripts:** consolidate scripts library paths and enhance dataviewer
([#383](#383))
([176d9c9](176d9c9))


### 🐛 Bug Fixes

* **build:** remediate CVEs, enforce equality pinning, repair Dependabot
config
([#391](#391))
([0c29148](0c29148))
* **infrastructure:** add Storage File Data Privileged Contributor role
for ML identity
([#380](#380))
([378f7ed](378f7ed))
* **infrastructure:** replace hardcoded NAT Gateway availability zones
with variable
([#356](#356))
([a1397bd](a1397bd))
* **infrastructure:** resolve TFLint violations and enable hard-fail
([#376](#376))
([dfb55cd](dfb55cd))
* **scripts:** add dot-source guard to Invoke-MsDateFreshnessCheck.ps1
([#397](#397))
([f6f22c3](f6f22c3))
* **training:** validate AzureML and OSMO RL submissions end to end
([#372](#372))
([49904d3](49904d3))


### 📚 Documentation

* **infrastructure:** add terraform-docs tooling and improve developer
experience
([#365](#365))
([a0fb03a](a0fb03a))
* **reference:** centralize workflow template docs and convert workflow
READMEs to pointer index
([#379](#379))
([68097e4](68097e4))


### 🔧 Miscellaneous

* **deps-dev:** bump the npm_and_yarn group across 1 directory with 2
updates
([#374](#374))
([d848c8b](d848c8b))
* **deps-dev:** bump vite from 6.4.1 to 6.4.2 in
/data-management/viewer/frontend in the npm_and_yarn group across 1
directory
([#395](#395))
([6ec7f19](6ec7f19))
* **deps:** bump the github-actions group across 1 directory with 7
updates
([#370](#370))
([4d1b951](4d1b951))
* **deps:** bump the uv group across 2 directories with 1 update
([#373](#373))
([ba66ed9](ba66ed9))


### 🔒 Security

* **deps-dev:** bump brace-expansion from 1.1.12 to 1.1.13 in
/docs/docusaurus in the npm_and_yarn group across 1 directory
([#389](#389))
([27129d9](27129d9))
* **deps-dev:** bump the npm_and_yarn group across 2 directories with 2
updates
([#363](#363))
([aeae624](aeae624))
* **deps-dev:** bump the python-dependencies group with 5 updates
([#403](#403))
([bb85560](bb85560))
* **deps:** bump cryptography from 46.0.5 to 46.0.6 in /training/rl
([#367](#367))
([a82dd68](a82dd68))
* **deps:** bump the inference-dependencies group in /evaluation with 2
updates
([#401](#401))
([c88d253](c88d253))
* **deps:** bump the pip group across 4 directories with 2 updates
([#411](#411))
([1230fe0](1230fe0))
* **deps:** bump the training-dependencies group across 1 directory with
67 updates
([#375](#375))
([8e05172](8e05172))
* **deps:** bump the uv group across 2 directories with 1 update
([#382](#382))
([b6c7aea](b6c7aea))
* **deps:** update marshmallow requirement from &lt;4.3.0,&gt;=3.5 to
&gt;=3.5,&lt;4.4.0 in /evaluation in the inference-dependencies group
([#393](#393))
([599c7eb](599c7eb))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: physical-ai-toolchain-release[bot] <267194360+physical-ai-toolchain-release[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rezatnoMsirhC rezatnoMsirhC rezatnoMsirhC left review comments

@agreaves-ms agreaves-ms agreaves-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix open CVEs and repair Dependabot configuration

4 participants

@WilliamBerryiii @codecov-commenter @rezatnoMsirhC @agreaves-ms