Skip to content

Aggregate Dependabot security fixes: cryptography, otel, lodash#2662

Merged
AndreKurait merged 4 commits intomainfrom
dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7
Apr 15, 2026
Merged

Aggregate Dependabot security fixes: cryptography, otel, lodash#2662
AndreKurait merged 4 commits intomainfrom
dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 8, 2026
edited by AndreKurait
Loading

Aggregated Dependabot Security Fixes

This PR combines multiple Dependabot vulnerability fixes into a single PR.

Vulnerabilities Addressed

Alert Package Severity Ecosystem Fix
#390 cryptography Moderate pip 46.0.6 → 46.0.7
#386 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp Moderate Go 1.40.0 → 1.43.0
#387 go.opentelemetry.io/otel/sdk High Go Already at 1.43.0 on main (merged via #2660); otlptracehttp bump pulls matching transitive deps
#381 lodash High npm 4.17.23 → 4.18.1
#380 lodash Moderate npm 4.17.23 → 4.18.1

Files Changed

  • migrationConsole/lib/console_link/Pipfile.lock — cryptography bump
  • AIAdvisor/opensearch-pricing-calculator/go.mod / go.sum — otel/otlptracehttp bump + transitive deps
  • orchestrationSpecs/package-lock.json — lodash bump

Supersedes

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update Python code labels Apr 8, 2026
@dependabot dependabot Bot had a problem deploying to migrations-cicd April 8, 2026 20:23 Failure
@dependabot dependabot Bot had a problem deploying to migrations-cicd April 8, 2026 20:23 Failure
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.46%. Comparing base (cdacaad) to head (0752c50).
⚠️ Report is 50 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #2662      +/-   ##
============================================
+ Coverage     73.43%   73.46%   +0.02%     
  Complexity      106      106              
============================================
  Files           721      721              
  Lines         33368    33441      +73     
  Branches       2910     2918       +8     
============================================
+ Hits          24504    24566      +62     
- Misses         7533     7535       +2     
- Partials       1331     1340       +9
Flag Coverage Δ
gradle 69.89% <ø> (+0.04%) ⬆️
node 90.97% <ø> (ø)
python 77.77% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

AndreKurait
AndreKurait approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AndreKurait AndreKurait left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot dependency update — auto-approved.

AndreKurait
AndreKurait approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AndreKurait AndreKurait left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved dependabot update.

AndreKurait
AndreKurait approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AndreKurait AndreKurait left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot dependency update — auto-approved.

AndreKurait
AndreKurait approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AndreKurait AndreKurait left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot dependency update — auto-approved.

@AndreKurait
Copy link
Copy Markdown
Member

AndreKurait commented Apr 14, 2026

@dependabot recreate

@AndreKurait AndreKurait enabled auto-merge April 14, 2026 14:36
@dependabot dependabot Bot force-pushed the dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7 branch from 5b73a37 to 5cf03e4 Compare April 14, 2026 14:38
@AndreKurait
Copy link
Copy Markdown
Member

AndreKurait commented Apr 14, 2026

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7 branch from 5cf03e4 to 51cc6f0 Compare April 14, 2026 15:58
dependabot Bot and others added 3 commits April 14, 2026 19:53
@dependabot @AndreKurait
Bump cryptography in /migrationConsole/lib/console_link
7cdf256 
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.6 to 46.0.7.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.6...46.0.7)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Andre Kurait <andrekurait@gmail.com>
@dependabot @AndreKurait
Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
e2f9318 
Bumps [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
  dependency-version: 1.43.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@AndreKurait
Bump lodash from 4.17.23 to 4.18.1 in /orchestrationSpecs
2f00cac 
Fixes:
- Code Injection via `_.template` imports key names (High)
- Prototype Pollution via array path bypass in `_.unset` and `_.omit` (Moderate)

Signed-off-by: Andre Kurait <andrekurait@gmail.com>
@AndreKurait AndreKurait force-pushed the dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7 branch from 51cc6f0 to 2f00cac Compare April 14, 2026 20:01
@AndreKurait AndreKurait changed the title Bump cryptography from 46.0.6 to 46.0.7 in /migrationConsole/lib/console_link Aggregate Dependabot security fixes: cryptography, otel, lodash Apr 14, 2026
@AndreKurait
Fix Pipfile.lock hash for pipenv 2026.5.0 compatibility
0752c50 
CI uses pipenv==2026.5.0 which computes Pipfile hashes using PEP 503
canonicalized package names, producing a different hash than the plette
library used by Dependabot. Update the _meta.hash to match pipenv's
computation.

Signed-off-by: Andre Kurait <andrekurait@gmail.com>
@AndreKurait AndreKurait merged commit bfdeb55 into main Apr 15, 2026
73 checks passed
@dependabot dependabot Bot deleted the dependabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7 branch April 15, 2026 14:38
AndreKurait added a commit to AndreKurait/opensearch-migrations that referenced this pull request Apr 15, 2026
@AndreKurait
Merge pull request opensearch-project#2662 from opensearch-project/de…
2db6c8c 
…pendabot/pip/migrationConsole/lib/console_link/cryptography-46.0.7

Bump cryptography from 46.0.6 to 46.0.7 in /migrationConsole/lib/console_link
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AndreKurait AndreKurait AndreKurait approved these changes

@gregschohn gregschohn Awaiting requested review from gregschohn gregschohn is a code owner

@sumobrian sumobrian Awaiting requested review from sumobrian sumobrian is a code owner

@jugal-chauhan jugal-chauhan Awaiting requested review from jugal-chauhan jugal-chauhan is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python Pull requests that update Python code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AndreKurait