OPS-951: add Dependabot config + bump 4 transitive pins past known CVEs#7
Conversation
Phase 1 supply-chain hardening. Two-part change: 1) .github/dependabot.yml — weekly pip updates with 7-day cooldown across default / semver-major / semver-minor / semver-patch categories. Scoped to /gsuite (the only Python directory; /o365 is PowerShell). 2) gsuite/requirements.txt — bump four packages from versions that have currently-applicable advisories in the OSV/GHSA databases to the lowest version >= current that's advisory-clean. Selected automatically by resolve_pins.py (OPS-951 Recipe v2 tooling): - protobuf 5.28.3 → 5.29.6 (GHSA-7gcm-g887-7qv7, GHSA-8qvm-5x2c-j2w7) - pyasn1 0.6.1 → 0.6.3 (GHSA-63vm-454h-vhhq, GHSA-jr27-m4p2-rc6r) - requests 2.32.3 → 2.33.0 (GHSA-9hjg-9r4m-mvj7, GHSA-gc5v-m9x4-r6x2) - urllib3 2.2.3 → 2.7.0 (6 advisories, see GHSA database) All bumps are within the same major version line (no breaking-API risk flagged by the resolver). Other 28 pins in the file were left untouched — they were already exact-pinned and OSV-clean at the time of the audit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
📝 WalkthroughWalkthroughThis PR establishes automated dependency management for the gsuite package. A new Dependabot v2 configuration file defines a weekly update schedule targeting the pip ecosystem under ChangesDependency Automation Setup
🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/dependabot.yml:
- Around line 1-11: This PR is missing the required JIRA ticket link in the
description; add the JIRA URL to this PR's description now, and to prevent
future misses create or update the repository PULL_REQUEST_TEMPLATE.md to
include a mandatory "JIRA Ticket / Link" field so automated updates (e.g., from
dependabot for package-ecosystem: "pip" in directory "/gsuite" in
.github/dependabot.yml) must include the ticket when opening PRs.
In `@gsuite/requirements.txt`:
- Around line 18-19: Update the dependency upgrades to ensure runtime and
resolver compatibility: verify the project's supported Python versions (confirm
if Python 3.9 support must be retained) and, if 3.9 must remain supported,
revert or pin requests and urllib3 to versions that allow Python 3.9; otherwise
update project metadata (pyproject/README/CI matrix) to require Python >=3.10.
Also check and pin pyOpenSSL >=19.0.0 if using urllib3==2.7.0, run the full
dependency resolver in CI (pip-tools/poetry lock or pip install
--use-feature=2020-resolver) and add CI matrix jobs to validate installs on
targeted Python interpreters and confirm protobuf==5.29.6 and pyasn1==0.6.3 do
not introduce incompatible transitive deps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 84752a05-c013-4219-bf6c-6eadb7b18e1e
📒 Files selected for processing (2)
.github/dependabot.ymlgsuite/requirements.txt
|
@coderabbitai resume |
✅ Actions performedReviews resumed. |
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
Need to re-request review.
crosslake-ben
left a comment
There was a problem hiding this comment.
All fixed @coderabbitai
Summary
Phase 1 supply-chain hardening for OPS-951 (parent epic OPS-949). Two-part change in one PR.
1. Dependabot config
Add
.github/dependabot.yml— weeklypipupdates with 7-daycooldownacross default / semver-major / semver-minor / semver-patch categories. Scoped to/gsuite(the only Python directory;/o365is PowerShell).2. CVE-driven pin bumps in
gsuite/requirements.txtFour packages were pinned to versions with currently-applicable OSV/GHSA advisories. Bumping each to the lowest version ≥ current that's advisory-clean (chosen automatically by the OPS-951 Recipe v2 tool
resolve_pins.py). All bumps stay within the same major-version line — no breaking-API surface flagged by the resolver.protobufpyasn1requestsurllib3The other 28 pins in the file were left untouched — they were already exact-pinned and OSV-clean at the time of the audit.
Why a single PR
Combined per OPS-951 owner discretion. Dependabot adoption alone would have left the four vulnerable pins in place for at least one cooldown cycle; folding the bumps in closes that window now.
Test plan
pip install -r gsuite/requirements.txtin a fresh venv resolves cleanly (no transitive conflict).gsuite/scuba.py(or whatever the entry point is) against a non-prod GSuite to smoke-test the resolved deps —requests/urllib3patch versions, and aprotobufminor bump, are the surfaces most likely to surface a runtime issue./network/dependenciesshould showpip @ /gsuitetracked weekly).🤖 Generated with Claude Code
Summary by CodeRabbit