Doc by Web4application · Pull Request #10 · Web4application/enclov-AI

Web4application · 2025-06-01T14:25:01Z

@dependabot recreate
@dependabot rebase
@dependabot merge

.github/workflows/Deploy.yaml

.github/workflows/backend.yml

.github/workflows/deploy-docs.yml

.github/workflows/deploy.yml

.github/workflows/docker-ci.yml

Web4application · 2025-06-02T03:58:40Z

app/config.py

+            data = {"body": review_comment}
+
+            async with httpx.AsyncClient() as client:
+                await client.post(comments_url, json=data, headers=headers)


To fix the issue, we will ensure that the comments_url is selected from a predefined list of trusted URLs on the server, rather than relying on user-provided input. This eliminates the possibility of SSRF attacks by removing user control over the URL entirely. Specifically:

Replace the dynamic comments_url with a server-controlled URL based on the repository's full name or other trusted attributes.

Remove the validation logic for comments_url since it will no longer be necessary.

Update the client.post call to use the server-controlled URL.

@dependabot recreate

app/main.py

main.py

socket-security · 2025-06-01T14:25:17Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	kubernetes@32.0.1
	openai@1.82.1
	openai@0.27.8
	celery@5.5.2
	uvicorn@0.22.0
	redis@6.2.0
	requests@2.32.3
	python-dotenv@1.0.0
	cryptography@45.0.3
	pyjwt@2.10.1
	fastapi@0.95.2
	httpx@0.24.1

View full report

socket-security · 2025-06-01T14:25:19Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib-3.10.3/lib/matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib-3.10.3/LICENSE/LICENSE_AMSFONTS) License: OFL-1.1 (matplotlib-3.10.3/LICENSE/LICENSE_AMSFONTS) License: OFL-1.1 (matplotlib-3.10.3/LICENSE/LICENSE_AMSFONTS) License: Bitstream-Charter (matplotlib-3.10.3/LICENSE/LICENSE_COURIERTEN) License: OFL-1.1 (matplotlib-3.10.3/lib/matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) License: OFL-1.1 (matplotlib-3.10.3/LICENSE/LICENSE_STIX) License: OFL-1.1 (matplotlib-3.10.3/LICENSE/LICENSE_CARLOGO) License: CC-BY-4.0 (matplotlib-3.10.3/doc/_static/fa/LICENSE) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		`matplotlib@3.10.3` has a License Policy Violation. License: Bitstream-Vera (matplotlib/mpl-data/fonts/ttf/LICENSE_DEJAVU) License: OFL-1.1 (matplotlib/mpl-data/fonts/ttf/LICENSE_STIX) From: `?` → `pypi/fastapi@0.95.2` → `pypi/httpx@0.24.1` → `pypi/openai@0.27.8` → `pypi/python-dotenv@1.0.0` → `pypi/uvicorn@0.22.0` → `pypi/requests@2.32.3` → `pypi/pyjwt@2.10.1` → `pypi/kubernetes@32.0.1` → `pypi/celery@5.5.2` → `pypi/cryptography@45.0.3` → `pypi/matplotlib@3.10.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/matplotlib@3.10.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 71 more rows in the dashboard

View full report

register_webhook.py

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

…ine.yaml Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

github-advanced-security bot found potential problems Jun 1, 2025

View reviewed changes

github-pages bot temporarily deployed to github-pages June 1, 2025 14:28 Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:07 — with GitHub Pages Inactive

github-pages bot temporarily deployed to github-pages June 1, 2025 15:08 Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:28 — with GitHub Actions Inactive

Web4application had a problem deploying to github-pages June 1, 2025 15:28 — with GitHub Pages Error

github-pages bot temporarily deployed to github-pages June 1, 2025 15:29 Inactive

github-advanced-security bot found potential problems Jun 1, 2025

View reviewed changes

register_webhook.py Fixed Show fixed Hide fixed

register_webhook.py Fixed Show fixed Hide fixed

Web4application temporarily deployed to github-pages June 1, 2025 15:35 — with GitHub Actions Inactive

Web4application had a problem deploying to github-pages June 1, 2025 15:35 — with GitHub Pages Error

github-pages bot temporarily deployed to github-pages June 1, 2025 15:36 Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:57 — with GitHub Actions Inactive

Web4application had a problem deploying to github-pages June 1, 2025 15:57 — with GitHub Pages Error

github-pages bot temporarily deployed to github-pages June 1, 2025 15:57 Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:59 — with GitHub Actions Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:59 — with GitHub Pages Inactive

Web4application temporarily deployed to github-pages June 1, 2025 15:59 — with GitHub Actions Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:00 — with GitHub Pages Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:00 — with GitHub Actions Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:01 — with GitHub Pages Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:01 — with GitHub Actions Inactive

github-pages bot had a problem deploying to github-pages June 1, 2025 16:01 Failure

Web4application temporarily deployed to github-pages June 1, 2025 16:07 — with GitHub Pages Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:07 — with GitHub Actions Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:08 — with GitHub Pages Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:08 — with GitHub Actions Inactive

github-pages bot temporarily deployed to github-pages June 1, 2025 16:08 Inactive

Web4application temporarily deployed to github-pages June 1, 2025 16:13 — with GitHub Actions Inactive

Rename EnclovAI.prompt.yml to EnclovAI.prompt.yaml

f529568

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:01 Failure

Web4application temporarily deployed to github-pages November 6, 2025 16:01 — with GitHub Actions Inactive

vercel bot deployed to Production – enclov-ai November 6, 2025 16:02 View deployment

Update enclov-ai-full-pipeline.yml

c18cde3

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

Web4application temporarily deployed to github-pages November 6, 2025 16:07 — with GitHub Actions Inactive

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:07 Failure

vercel bot deployed to Production – enclov-ai November 6, 2025 16:08 View deployment

Update and rename enclov-ai-full-pipeline.yml to enclov-ai-full-pipel…

229c117

…ine.yaml Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

Web4application temporarily deployed to github-pages November 6, 2025 16:08 — with GitHub Actions Inactive

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:08 Failure

vercel bot deployed to Production – enclov-ai November 6, 2025 16:09 View deployment

Update model_config.py

0a8ecfb

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

Web4application temporarily deployed to github-pages November 6, 2025 16:22 — with GitHub Actions Inactive

vercel bot deployed to Production – enclov-ai November 6, 2025 16:22 View deployment

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:22 Failure

Update .env

0d37a25

Signed-off-by: Web4 <167559384+Web4application@users.noreply.github.com>

Web4application temporarily deployed to github-pages November 6, 2025 16:29 — with GitHub Actions Inactive

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:29 Failure

vercel bot deployed to Production – enclov-ai November 6, 2025 16:30 View deployment

Create CNAME

9f73759

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:33 Failure

Web4application temporarily deployed to github-pages November 6, 2025 16:33 — with GitHub Actions Inactive

Web4application deployed to github-pages November 6, 2025 16:33 — with GitHub Pages View deployment

vercel bot deployed to Production – enclov-ai November 6, 2025 16:33 View deployment

Update CNAME

1c60f2b

Web4application temporarily deployed to github-pages November 6, 2025 16:36 — with GitHub Actions Inactive

vercel bot had a problem deploying to Production – enclov-ai-vc5i November 6, 2025 16:36 Failure

Web4application deployed to github-pages November 6, 2025 16:36 — with GitHub Pages View deployment

vercel bot deployed to Production – enclov-ai November 6, 2025 16:36 View deployment

@@ -50,27 +50,6 @@
                         # Validate comments_url domain (trust but verify)
-                        comments_url = payload["pull_request"]["comments_url"]
-                        # Define a whitelist of allowed base URLs
-                        allowed_urls = [
-                            "https://web4application.github.io/repos/"
-                        ]
-                        # Parse and validate the comments_url
-                        try:
-                            parsed_url = urlparse(comments_url)
-                            if not parsed_url.scheme in ["http", "https"]:
-                                raise HTTPException(status_code=400, detail="Invalid comments_url: Unsupported URL scheme")
-                            if not any(comments_url.startswith(allowed_url) for allowed_url in allowed_urls):
-                                raise HTTPException(status_code=400, detail="Invalid comments_url: URL not in allowed whitelist")
-                            # Resolve domain to IP and validate against trusted range
-                            import socket
-                            resolved_ip = socket.gethostbyname(parsed_url.netloc)
-                            trusted_ips = ["192.30.252.0/22", "185.199.108.0/22"]  # Example GitHub IP ranges
-                            from ipaddress import ip_address, ip_network
-                            if not any(ip_address(resolved_ip) in ip_network(trusted_range) for trusted_range in trusted_ips):
-                                raise HTTPException(status_code=400, detail="Invalid comments_url: IP address not in trusted range")
-                        except Exception as e:
-                            raise HTTPException(status_code=400, detail=f"Invalid comments_url: {str(e)}")
+                        # Construct a server-controlled comments_url based on repository full name
+                        base_url = "https://web4application.github.io/repos/"
+                        repo_full_name = payload["repository"]["full_name"]
+                        comments_url = f"{base_url}{repo_full_name}/comments"
                         headers = {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Doc#10

Doc#10
Web4application wants to merge 1054 commits intoWeb4application-patch-2from
main

Web4application commented Jun 1, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check failure

Copilot Autofix

Web4application Jun 2, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

socket-security bot commented Jun 1, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Jun 1, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

Web4application commented Jun 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Web4application Jun 2, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

socket-security bot commented Jun 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Jun 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Web4application commented Jun 1, 2025 •

edited

Loading

socket-security bot commented Jun 1, 2025 •

edited

Loading

socket-security bot commented Jun 1, 2025 •

edited

Loading