Skip to content

chore(deps): resolve backend dependency CVEs (pysaml2 fork, cryptography, twisted, pydantic-ai)#5663

Merged
silvestrid merged 3 commits into
developfrom
pysaml2-fork-deps-upgrade
Jul 7, 2026
Merged

chore(deps): resolve backend dependency CVEs (pysaml2 fork, cryptography, twisted, pydantic-ai)#5663
silvestrid merged 3 commits into
developfrom
pysaml2-fork-deps-upgrade

Conversation

@silvestrid

@silvestrid silvestrid commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

What

Resolves all fixable Dependabot alerts on the backend (4 high, 3 low, 3 medium).

1. pysaml2 fork (2ec1971f)

pysaml2==7.5.4 caps pyopenssl<24.3.0, which blocked upgrading cryptography past the CVE-2026-26007 fix. Upstream fix exists but is unreleased (IdentityPython/pysaml2#1021), so we cherry-picked it into baserow/pysaml2 (fork PR #1, tag v7.5.4+deps-upgrade) and consume it via [tool.uv.sources] pinned to the immutable merge-commit SHA (a tag can be force-moved; the SHA cannot). Drop the source and return to PyPI once upstream releases the fix.

git is added to the Dockerfile builder-prod-base and dev stages — uv needs the git CLI to fetch git-sourced dependencies and the python-slim base image doesn't ship it.

2. Remaining CVE upgrades (dbf1effa)

Package Before → After Fixes
cryptography 43.0.3 → 49.0.0 2 high + 2 low (incl. CVE-2026-26007)
pyopenssl 24.2.1 → 26.3.0 1 high + 1 low
twisted 25.5.0 → 26.4.0 1 high (DNS compression DoS)
pydantic-ai-slim 1.77.0 → 1.102.0 2 medium (SSRF bypasses); needs boto3 ≥ 1.42.63
pydantic-settings 2.12.0 → 2.14.2 1 medium
django / daphne 5.2.15 / 4.2.2 security patches

pydantic-ai 1.102 turned StreamedResponse._parts_manager into a cached_property (plus new _finished/_cancelled class-default fields), which shadowed __getattr__ on the assistant's _ErrorRecoveringStream proxy — stream.get() would have built the response from an empty proxy-local parts manager. Fixed by property-delegating the shadowed attributes to the inner stream, with a regression test.

pip-audit over the new resolution reports a single remaining finding: lupa 2.6 — dev-only (fakeredis lua extra, never in prod images), no fixed release exists.

⚠️ Follow-up required in saas

The saas Dockerfiles mirror this one and consume the synced uv.lock — they need the same one-line git package addition or image builds will fail at uv sync --frozen after the next lock sync. MR: https://gitlab.com/baserow/baserow-saas/-/merge_requests/634

Verification

…yopenssl CVEs

The baserow/pysaml2 fork is v7.5.4 with IdentityPython/pysaml2#1021
cherry-picked, lifting the pyopenssl<24.3.0 cap that blocked the
cryptography upgrade. Pinned to the immutable merge commit
(tagged v7.5.4+deps-upgrade) via tool.uv.sources.

Upgrades cryptography 43.0.3 -> 49.0.0 and pyopenssl 24.2.1 -> 26.3.0,
resolving 3 high and 3 low Dependabot alerts including CVE-2026-26007.

git is added to the Dockerfile builder-prod-base and dev stages because
uv requires the git CLI to fetch git-sourced dependencies.
…c-settings to fix remaining CVEs

- twisted 25.5.0 -> 26.4.0: DNS compression pointer DoS (high)
- pydantic-ai-slim 1.77.0 -> 1.102.0: two SSRF blocklist bypasses (medium);
  requires boto3 >= 1.42.63
- pydantic-settings 2.12.0 -> 2.14.2: secrets_dir symlink traversal (medium)
- django 5.2.14 -> 5.2.15 and daphne 4.2.1 -> 4.2.2 security patches

pydantic-ai 1.102 turned StreamedResponse._parts_manager into a
cached_property and added _finished/_cancelled class-default fields.
These shadow __getattr__ on the assistant's _ErrorRecoveringStream
proxy, so get() would build the response from an empty proxy-local
parts manager. The shadowed attributes are now property-delegated to
the inner stream, with a regression test asserting get() sees the
streamed parts.
@silvestrid silvestrid self-assigned this Jul 6, 2026
@silvestrid silvestrid requested a review from Copilot July 6, 2026 15:58
@silvestrid silvestrid added the dependencies Pull requests that update a dependency file label Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves backend Dependabot security alerts by upgrading multiple Python dependencies (notably cryptography/pyopenssl/twisted/pydantic-ai) and introducing a temporary git-sourced fork of pysaml2 to unblock the upgrades. It also updates the enterprise assistant streaming proxy to remain compatible with the newer pydantic-ai internals and adds a regression test for the streaming .get() behavior.

Changes:

  • Upgrade backend dependency set in pyproject.toml/uv.lock, including switching pysaml2 to a git SHA-pinned fork via tool.uv.sources.
  • Update backend Docker build stages to install git so uv sync --frozen can fetch git-based dependencies.
  • Fix _ErrorRecoveringStream attribute shadowing by delegating additional StreamedResponse class/default attributes to the inner stream, with an added regression assertion in enterprise tests.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
enterprise/backend/tests/baserow_enterprise_tests/assistant/test_retrying_model.py Extends streaming recovery tests to validate .get() reads parts from the inner stream’s parts manager after pydantic-ai changes.
enterprise/backend/src/baserow_enterprise/assistant/retrying_model.py Ensures the stream proxy delegates shadowed StreamedResponse attributes (incl. _parts_manager) to the wrapped stream.
changelog/entries/unreleased/bug/upgrades_backend_dependencies_to_fix_known_security_vulnerab.json Adds an unreleased changelog entry covering the backend security dependency upgrades.
backend/uv.lock Updates locked dependency resolution (including pysaml2 git source and multiple version bumps) to address CVEs.
backend/pyproject.toml Bumps key pinned versions and adds tool.uv.sources override to consume the pysaml2 fork by immutable SHA.
backend/Dockerfile Installs git in relevant build/dev stages so uv can fetch git-sourced dependencies during image builds.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)
Lines missing
  enterprise/backend/src/baserow_enterprise/assistant
  retrying_model.py 488-496
Project Total  

This report was generated by python-coverage-comment-action

@silvestrid silvestrid requested a review from a team July 6, 2026 21:43

@alamin-br alamin-br left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me 🚀

@silvestrid silvestrid merged commit eda35b0 into develop Jul 7, 2026
54 checks passed
@silvestrid silvestrid deleted the pysaml2-fork-deps-upgrade branch July 7, 2026 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

Development

Successfully merging this pull request may close these issues.

3 participants