Skip to content

OPS-951: add Dependabot config + bump 4 transitive pins past known CVEs#7

Merged
crosslake-ben merged 1 commit into
mainfrom
ops-951-supply-chain-hardening
May 20, 2026
Merged

OPS-951: add Dependabot config + bump 4 transitive pins past known CVEs#7
crosslake-ben merged 1 commit into
mainfrom
ops-951-supply-chain-hardening

Conversation

@crosslake-ben

@crosslake-ben crosslake-ben commented May 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Phase 1 supply-chain hardening for OPS-951 (parent epic OPS-949). Two-part change in one PR.

1. Dependabot config

Add .github/dependabot.yml — weekly pip updates with 7-day cooldown across default / semver-major / semver-minor / semver-patch categories. Scoped to /gsuite (the only Python directory; /o365 is PowerShell).

2. CVE-driven pin bumps in gsuite/requirements.txt

Four packages were pinned to versions with currently-applicable OSV/GHSA advisories. Bumping each to the lowest version ≥ current that's advisory-clean (chosen automatically by the OPS-951 Recipe v2 tool resolve_pins.py). All bumps stay within the same major-version line — no breaking-API surface flagged by the resolver.

Package Old New Advisories cleared
protobuf 5.28.3 5.29.6 GHSA-7gcm-g887-7qv7, GHSA-8qvm-5x2c-j2w7
pyasn1 0.6.1 0.6.3 GHSA-63vm-454h-vhhq, GHSA-jr27-m4p2-rc6r
requests 2.32.3 2.33.0 GHSA-9hjg-9r4m-mvj7, GHSA-gc5v-m9x4-r6x2
urllib3 2.2.3 2.7.0 GHSA-2xpw-w6gg-jr37, GHSA-38jv-5279-wg99, GHSA-48p4-8xcf-vxj5, GHSA-gm62-xv2j-4w53, GHSA-pq67-6m6q-mj2v, GHSA-qccp-gfcp-xxvc

The other 28 pins in the file were left untouched — they were already exact-pinned and OSV-clean at the time of the audit.

Why a single PR

Combined per OPS-951 owner discretion. Dependabot adoption alone would have left the four vulnerable pins in place for at least one cooldown cycle; folding the bumps in closes that window now.

Test plan

  • pip install -r gsuite/requirements.txt in a fresh venv resolves cleanly (no transitive conflict).
  • Run gsuite/scuba.py (or whatever the entry point is) against a non-prod GSuite to smoke-test the resolved deps — requests/urllib3 patch versions, and a protobuf minor bump, are the surfaces most likely to surface a runtime issue.
  • Confirm Dependabot picks up the new config (/network/dependencies should show pip @ /gsuite tracked weekly).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated core Python dependencies to latest stable versions for improved compatibility and security
    • Configured automated weekly dependency updates for continuous maintenance

Review Change Stack

Phase 1 supply-chain hardening. Two-part change:

1) .github/dependabot.yml — weekly pip updates with 7-day cooldown across
   default / semver-major / semver-minor / semver-patch categories.
   Scoped to /gsuite (the only Python directory; /o365 is PowerShell).

2) gsuite/requirements.txt — bump four packages from versions that have
   currently-applicable advisories in the OSV/GHSA databases to the
   lowest version >= current that's advisory-clean. Selected automatically
   by resolve_pins.py (OPS-951 Recipe v2 tooling):

   - protobuf  5.28.3 → 5.29.6   (GHSA-7gcm-g887-7qv7, GHSA-8qvm-5x2c-j2w7)
   - pyasn1    0.6.1  → 0.6.3    (GHSA-63vm-454h-vhhq, GHSA-jr27-m4p2-rc6r)
   - requests  2.32.3 → 2.33.0   (GHSA-9hjg-9r4m-mvj7, GHSA-gc5v-m9x4-r6x2)
   - urllib3   2.2.3  → 2.7.0    (6 advisories, see GHSA database)

All bumps are within the same major version line (no breaking-API risk
flagged by the resolver). Other 28 pins in the file were left untouched —
they were already exact-pinned and OSV-clean at the time of the audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@snyk-io

snyk-io Bot commented May 19, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This PR establishes automated dependency management for the gsuite package. A new Dependabot v2 configuration file defines a weekly update schedule targeting the pip ecosystem under /gsuite with 7-day cooldown delays for all release types. The gsuite/requirements.txt file is updated with newer pinned versions for protobuf, pyasn1, requests, and urllib3, establishing the baseline from which Dependabot will manage future updates.

Changes

Dependency Automation Setup

Layer / File(s) Summary
Automated dependency updates setup
.github/dependabot.yml, gsuite/requirements.txt
Dependabot v2 configuration defines weekly pip dependency updates for gsuite with 7-day cooldown delays. Pinned versions for protobuf, pyasn1, requests, and urllib3 are bumped to establish the baseline for automated management.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title correctly starts with the JIRA ticket ID 'OPS-951:' in uppercase with proper formatting and clearly describes the two-part change: adding Dependabot configuration and bumping dependency pins to address CVEs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ops-951-supply-chain-hardening

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot previously requested changes May 19, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 1-11: This PR is missing the required JIRA ticket link in the
description; add the JIRA URL to this PR's description now, and to prevent
future misses create or update the repository PULL_REQUEST_TEMPLATE.md to
include a mandatory "JIRA Ticket / Link" field so automated updates (e.g., from
dependabot for package-ecosystem: "pip" in directory "/gsuite" in
.github/dependabot.yml) must include the ticket when opening PRs.

In `@gsuite/requirements.txt`:
- Around line 18-19: Update the dependency upgrades to ensure runtime and
resolver compatibility: verify the project's supported Python versions (confirm
if Python 3.9 support must be retained) and, if 3.9 must remain supported,
revert or pin requests and urllib3 to versions that allow Python 3.9; otherwise
update project metadata (pyproject/README/CI matrix) to require Python >=3.10.
Also check and pin pyOpenSSL >=19.0.0 if using urllib3==2.7.0, run the full
dependency resolver in CI (pip-tools/poetry lock or pip install
--use-feature=2020-resolver) and add CI matrix jobs to validate installs on
targeted Python interpreters and confirm protobuf==5.29.6 and pyasn1==0.6.3 do
not introduce incompatible transitive deps.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 84752a05-c013-4219-bf6c-6eadb7b18e1e

📥 Commits

Reviewing files that changed from the base of the PR and between 48f44e4 and ce9a603.

📒 Files selected for processing (2)
  • .github/dependabot.yml
  • gsuite/requirements.txt

Comment thread .github/dependabot.yml
Comment thread gsuite/requirements.txt
@crosslake-ben

Copy link
Copy Markdown
Contributor Author

@coderabbitai resume

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown
✅ Actions performed

Reviews resumed.

@crosslake-ben

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 19, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@crosslake-ben crosslake-ben dismissed coderabbitai[bot]’s stale review May 19, 2026 16:56

Need to re-request review.

@crosslake-ben crosslake-ben left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All fixed @coderabbitai

@crosslake-ben crosslake-ben merged commit 5f22c8e into main May 20, 2026
4 checks passed
@crosslake-ben crosslake-ben deleted the ops-951-supply-chain-hardening branch May 20, 2026 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant