Skip to content

fix(build): remediate CVEs, enforce equality pinning, repair Dependabot config #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
WilliamBerryiii merged 10 commits into from
Apr 7, 2026
Merged

fix(build): remediate CVEs, enforce equality pinning, repair Dependabot config #391

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
0947d69
fix(build): remediate CVEs, enforce equality pinning, repair Dependab…
Apr 4, 2026
f7b3bcf
fix(build): resolve dependency review and pinning scan CI failures
Apr 5, 2026
1ac8b1b
fix(build): upgrade mlflow to 3.9.0 to resolve 7 CVEs
Apr 6, 2026
b6d32b6
fix(build): upgrade requests in test fixtures to resolve CVEs
Apr 6, 2026
c22a59c
fix(build): upgrade requests to 2.33.1 in test fixtures
Apr 6, 2026
97104e2
Merge remote-tracking branch 'origin/main' into fix/cve-remediation-d…
WilliamBerryiii Apr 6, 2026
2d1698b
security(build): add per-GHSA comments and dependency-groups scanner …
WilliamBerryiii Apr 7, 2026
519811e
fix(build): resolve merge conflict in training/rl/pyproject.toml
WilliamBerryiii Apr 7, 2026
034f403
security(build): add mlflow GHSA allow-list entry and fixture exclusi…
WilliamBerryiii Apr 7, 2026
028c02d
Merge remote-tracking branch 'origin/main' into fix/cve-remediation-d…
Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 36 additions & 14 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,25 @@
version: 2
updates:
# npm dependencies for root tooling
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
groups:
root-npm-dependencies:
patterns:
- "*"
labels:
- "dependencies"
- "npm"
commit-message:
prefix: "chore"
include: "scope"

# Python dependencies
- package-ecosystem: "pip"
- package-ecosystem: "uv"
directory: "/"
schedule:
interval: "weekly"
Expand Down Expand Up @@ -129,23 +147,28 @@ updates:
prefix: "chore"
include: "scope"

# Docker base images for AzureML workflows
- package-ecosystem: "docker"
directory: "/workflows/azureml"
# Python dependencies for dataviewer
- package-ecosystem: "uv"
directory: "/data-management/viewer"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
groups:
dataviewer-dependencies:
patterns:
- "*"
labels:
- "dependencies"
- "docker"
- "python"
- "dataviewer"
commit-message:
prefix: "chore"
include: "scope"

# Python dependencies for dataviewer backend
- package-ecosystem: "pip"
directory: "/src/dataviewer/backend"
- package-ecosystem: "uv"
directory: "/data-management/viewer/backend"
schedule:
interval: "weekly"
day: "monday"
Expand All @@ -164,7 +187,7 @@ updates:

# npm dependencies for dataviewer frontend
- package-ecosystem: "npm"
directory: "/src/dataviewer/frontend"
directory: "/data-management/viewer/frontend"
schedule:
interval: "weekly"
day: "monday"
Expand All @@ -181,21 +204,20 @@ updates:
prefix: "chore"
include: "scope"

# Python dependencies for LeRobot inference
- package-ecosystem: "pip"
directory: "/workflows/azureml"
# npm dependencies for Docusaurus
- package-ecosystem: "npm"
directory: "/docs/docusaurus"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
groups:
lerobot-inference-dependencies:
docusaurus-dependencies:
patterns:
- "*"
labels:
- "dependencies"
- "python"
- "inference"
- "npm"
commit-message:
prefix: "chore"
include: "scope"
Expand Down
12 changes: 11 additions & 1 deletion .github/workflows/dependency-pinning-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:
description: 'Comma-separated list of dependency types to check'
required: false
type: string
default: 'github-actions'
default: 'github-actions,npm,pip,shell-downloads'
soft-fail:
description: 'Whether to continue on compliance violations'
required: false
Expand All @@ -28,6 +28,11 @@ on:
required: false
type: boolean
default: true
exclude-paths:
description: 'Comma-separated glob patterns for paths to exclude from scanning'
required: false
type: string
default: ''
outputs:
compliance-score:
description: 'Compliance score percentage'
Expand Down Expand Up @@ -94,6 +99,11 @@ jobs:
$params['Threshold'] = [int]'${{ inputs.threshold }}'
}

# Pass exclude paths to script
if ('${{ inputs.exclude-paths }}') {
$params['ExcludePaths'] = '${{ inputs.exclude-paths }}'
}

# Run validation script (JSON format)
& scripts/security/Test-DependencyPinning.ps1 @params
$jsonExitCode = $LASTEXITCODE
Expand Down
18 changes: 14 additions & 4 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,22 @@ jobs:
with:
fail-on-severity: moderate
comment-summary-in-pr: always
# mlflow <3.0.0 required by azureml-mlflow; these are server-side/model-loading vulns not applicable to client-only usage
# GHSA-w8v5-vhqr-4h9v: diskcache unsafe pickle — no upstream fix; exploitable only with write access to local cache directory
# onnx: GHSA-hqmj-h5c6-369m is in onnx.hub.load() (Model Zoo downloads); this repo uses onnx only for model serialization via rsl-rl-lib, no fix released yet
# GHSA-w8v5-vhqr-4h9v: diskcache — unsafe pickle deserialization allows RCE with cache write access; no upstream fix (CVE-2025-69872)
# GHSA-wf7f-8fxf-xfxc: mlflow — unsafe deserialization of malicious PyTorch models; no upstream fix; server-side/model-loading only (CVE-2024-37059)
# GHSA-pgqp-8h46-6x4j: mlflow — DNS rebinding via missing Origin header validation; fixed in 3.5.0; azureml-mlflow constrains mlflow<3.0.0 (CVE-2025-14279)
# GHSA-4x5p-f36r-mxxr: mlflow — world-writable temp dir enables race-condition RCE; fixed in 3.4.0; azureml-mlflow constrains mlflow<3.0.0 (CVE-2025-10279)
# GHSA-hqmj-h5c6-369m: onnx — hub.load() suppresses trust warnings; no fix released; repo uses onnx for model serialization only (CVE-2026-28500)
# GHSA-r5fr-rjxr-66jc: lodash — code injection via _.template; fixed in 4.18.0 (unreleased on npm); transitive Docusaurus dep at 4.17.21 (CVE-2026-4800)
# GHSA-xxjr-mmjv-4gpg: lodash — prototype pollution in _.unset/_.omit; fixed in 4.17.23 (unreleased on npm); transitive Docusaurus dep at 4.17.21 (CVE-2025-13465)
# GHSA-f23m-r3pf-42rh: lodash — array-path bypass re-enables prototype pollution; fixed in 4.18.0 (unreleased on npm); transitive Docusaurus dep at 4.17.21 (CVE-2026-2950)
# GHSA-7qhf-v65m-g5f3: mlflow — unauthenticated FastAPI job endpoints under /ajax-api/3.0/jobs/*; no upstream fix; server-side only (CVE-2026-0545)
allow-ghsas: >-
GHSA-w8v5-vhqr-4h9v,
GHSA-wf7f-8fxf-xfxc,
GHSA-pgqp-8h46-6x4j,
GHSA-4x5p-f36r-mxxr,
GHSA-hqmj-h5c6-369m
GHSA-hqmj-h5c6-369m,
GHSA-r5fr-rjxr-66jc,
GHSA-xxjr-mmjv-4gpg,
GHSA-f23m-r3pf-42rh,
GHSA-7qhf-v65m-g5f3
1 change: 1 addition & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ jobs:
security-events: write # Required for SARIF upload to Security tab
with:
upload-sarif: true
exclude-paths: 'scripts/tests/Fixtures/**,shared/ci/tests/Fixtures/**'

# PowerShell Pester test execution
pester-tests:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ jobs:
security-events: write # Required for SARIF upload to Security tab
with:
upload-sarif: true
exclude-paths: 'scripts/tests/Fixtures/**,shared/ci/tests/Fixtures/**'

# PowerShell Pester test execution
pester-tests:
Expand Down
55 changes: 29 additions & 26 deletions data-management/viewer/backend/pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,50 +4,50 @@ version = "0.1.0"
description = "API for LeRobot episode annotation system"
requires-python = ">=3.11"
dependencies = [
"fastapi>=0.115.0",
"uvicorn[standard]>=0.34.0",
"pydantic>=2.10.0",
"python-multipart>=0.0.18",
"python-dotenv>=1.0.0",
"aiofiles>=24.1.0",
"numpy>=2.2.0",
"pyarrow>=18.1.0",
"Pillow>=10.0.0",
"fastapi==0.133.0",
"uvicorn[standard]==0.41.0",
"pydantic==2.12.5",
"python-multipart==0.0.22",
"python-dotenv==1.2.1",
"aiofiles==25.1.0",
"numpy==2.4.2",
"pyarrow==23.0.1",
"Pillow==12.1.1",
]

[project.optional-dependencies]
dev = [
"ruff>=0.8.0",
"pytest>=8.3.0",
"pytest-asyncio>=0.24.0",
"pytest-cov>=6.0.0",
"httpx>=0.28.0",
"schemathesis>=4.0.0",
"ruff==0.15.2",
"pytest==9.0.2",
"pytest-asyncio==1.3.0",
"pytest-cov==7.1.0",
"httpx==0.28.1",
"schemathesis==4.14.3",
]
azure = [
"aiohttp>=3.13.3,<4.0.0",
"azure-storage-blob>=12.24.0",
"azure-identity>=1.19.0",
"aiohttp==3.13.4",
"azure-storage-blob==12.28.0",
"azure-identity==1.25.2",
]
analysis = [
"scipy>=1.14.0",
"scikit-learn>=1.6.0",
"pandas>=2.2.0",
"scipy==1.17.1",
"scikit-learn==1.8.0",
"pandas==3.0.1",
]
huggingface = [
"huggingface-hub>=0.27.0",
"huggingface-hub==1.4.1",
]
auth = [
"pyjwt[crypto]>=2.12.0",
"pyjwt[crypto]==2.12.1",
]
hdf5 = [
"h5py>=3.12.0",
"h5py==3.15.1",
]
export = [
"h5py>=3.12.0",
"h5py==3.15.1",
]
yolo = [
"ultralytics>=8.3.0",
"ultralytics==8.4.16",
]

[build-system]
Expand All @@ -70,6 +70,9 @@ ignore = [
[tool.ruff.lint.isort]
known-first-party = ["backend"]

[tool.uv]
constraint-dependencies = ["pygments==2.20.0"]

[tool.pytest.ini_options]
asyncio_mode = "auto"
testpaths = ["tests"]
Loading
Loading