Skip to content

fix(deps): bump pytest, pygments, and vite to patch security alerts#191

Merged
vredchenko merged 1 commit intomainfrom
fix/security-alerts-deps-bump
Apr 18, 2026
Merged

fix(deps): bump pytest, pygments, and vite to patch security alerts#191
vredchenko merged 1 commit intomainfrom
fix/security-alerts-deps-bump

Conversation

@vredchenko
Copy link
Copy Markdown
Collaborator

@vredchenko vredchenko commented Apr 18, 2026
edited
Loading

Summary

Closes all seven open alerts in code scanning via lockfile bumps.

Package From To CVE(s) Lockfile(s)
pytest 9.0.2 9.0.3 CVE-2025-71176 (tmpdir handling) packages/smartem-epuplayer/uv.lock, packages/smartem-workspace/uv.lock
pygments 2.19.2 2.20.0 CVE-2026-4539 (ReDoS GUID matcher) packages/smartem-epuplayer/uv.lock, packages/smartem-workspace/uv.lock
vite 8.0.0 8.0.8 CVE-2026-39363, CVE-2026-39364, CVE-2026-39365 (dev-server path traversal / fs.deny bypass) webui/package-lock.json (declared constraint raised to ^8.0.8)

Test plan

  • npm run typecheck in webui/ passes
  • uv run pytest passes in packages/smartem-epuplayer (12 tests)
  • uv run pytest passes in packages/smartem-workspace (16 tests)
  • CI green

@vredchenko
fix(deps): bump pytest, pygments, and vite to patch security alerts
cd871df 
Addresses open code-scanning alerts:
- pytest 9.0.2 -> 9.0.3 (CVE-2025-71176: vulnerable tmpdir handling)
- pygments 2.19.2 -> 2.20.0 (CVE-2026-4539: ReDoS in GUID matcher)
- vite 8.0.0 -> 8.0.8 (CVE-2026-39363/39364/39365: dev-server path traversal and fs.deny bypass)

All impacted lockfiles regenerated and test suites re-run.
@github-actions github-actions bot added smartem-devtools:webui Developer dashboard web interface component:epuplayer EPUPlayer filesystem recording and replay tool component:smartem-workspace smartem-workspace CLI tool for multi-repo management labels Apr 18, 2026
@vredchenko
Copy link
Copy Markdown
Collaborator Author

vredchenko commented Apr 18, 2026 

[CVE-2026-39364: Vite: `server.fs.deny` bypassed with queries](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/15)
High
#15 opened 2 weeks ago • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [webui/package-lock.json](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Awebui%2Fpackage-lock.json) :1
main
Select alert #12
[CVE-2026-39363: Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/12)
High
#12 opened 2 weeks ago • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [webui/package-lock.json](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Awebui%2Fpackage-lock.json) :1
main
Select alert #17
[CVE-2025-71176: pytest has vulnerable tmpdir handling](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/17)
Medium
#17 opened 5 days ago • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [packages/smartem-workspace/uv.lock](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Apackages%2Fsmartem-workspace%2Fuv.lock) :1
main
Select alert #16
[CVE-2025-71176: pytest has vulnerable tmpdir handling](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/16)
Medium
#16 opened 5 days ago • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [packages/smartem-epuplayer/uv.lock](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Apackages%2Fsmartem-epuplayer%2Fuv.lock) :1
main
Select alert #14
[CVE-2026-39365: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/14)
Medium
#14 opened 2 weeks ago • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [webui/package-lock.json](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Awebui%2Fpackage-lock.json) :1
main
Select alert #4
[CVE-2026-4539: Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/4)
Low
#4 opened last month • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [packages/smartem-workspace/uv.lock](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Apackages%2Fsmartem-workspace%2Fuv.lock) :1
main
Select alert #3
[CVE-2026-4539: Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning/3)
Low
#3 opened last month • [Detected by osv-scanner](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+tool%3Aosv-scanner) in [packages/smartem-epuplayer/uv.lock](https://github.com/DiamondLightSource/smartem-devtools/security/code-scanning?query=is%3Aopen+branch%3Amain+path%3Apackages%2Fsmartem-epuplayer%2Fuv.lock) :1

@vredchenko vredchenko merged commit dfa1331 into main Apr 18, 2026
22 checks passed
@vredchenko vredchenko deleted the fix/security-alerts-deps-bump branch April 18, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component:epuplayer EPUPlayer filesystem recording and replay tool component:smartem-workspace smartem-workspace CLI tool for multi-repo management smartem-devtools:webui Developer dashboard web interface

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vredchenko