Skip to content

fix(security): suppress uv-missing-dependency-cooldown on agent/pyproject.toml (#532)#539

Open
mandeep408 wants to merge 4 commits into
mainfrom
fix/532-uv-dependency-cooldown
Open

fix(security): suppress uv-missing-dependency-cooldown on agent/pyproject.toml (#532)#539
mandeep408 wants to merge 4 commits into
mainfrom
fix/532-uv-dependency-cooldown

Conversation

@mandeep408

Copy link
Copy Markdown
Contributor

What

Suppress the semgrep uv-missing-dependency-cooldown finding on agent/pyproject.toml via a justified nosemgrep, rather than adding a global exclude-newer cooldown.

Fixes #532.

Why not the originally-proposed exclude-newer = "7 days"

Verified that a global relative cooldown is structurally incompatible with this repo's exact == pins: several pins (fastapi, bedrock-agentcore, boto3) are to versions published inside any reasonable window, so exclude-newer makes uv lock/uv sync unsatisfiable and re-breaks on every fresh pin bump. Full analysis and the maintainer's approval reversal are in the issue thread — decision was Option B (justified nosemgrep).

The rule's threat model (surprise malicious/unstable version) is already covered by exact pins + committed uv.lock + reviewed upgrade-main PRs + uv sync --frozen in the image, so a global cooldown would be redundant and would fight the pinning workflow.

Change

One justified nosemgrep on the line preceding [tool.uv] in agent/pyproject.toml (+8 lines, comment + directive). Scope: agent/pyproject.toml only.

Verification (local, on this branch rebased atop merged #537)

Notes / follow-ups (separate, per maintainer)

  • Pin Semgrep / rule packs — root cause of this surfacing (semgrep = "latest" + --config auto).
  • Evaluate uv sync --frozen in the CI install task — ADR-009 / 2P track.
  • Separately observed: security:sast:masking fails on main (pre-existing, in cli/src/commands/jira.ts, linear.ts, cdk/src/handlers/shared/jira-feedback.ts) — unrelated to this PR; worth its own issue.

Co-Authored-By: Claude noreply@anthropic.com

…ject.toml (#532)

semgrep's uv-missing-dependency-cooldown rule wants a global exclude-newer
cooldown under [tool.uv]. Setting one is structurally incompatible with this
repo: deps are exact-pinned (==) and several pins (fastapi, bedrock-agentcore,
boto3) are to versions published within any reasonable cooldown window, so a
global exclude-newer makes `uv lock`/`uv sync` unsatisfiable and re-breaks on
every fresh pin bump.

The rule's threat model (surprise malicious/unstable version) is already
covered by exact pins + committed uv.lock + reviewed upgrade-main PRs +
uv sync --frozen in the image. Suppress with a justified nosemgrep on the line
preceding [tool.uv] rather than adding a redundant, workflow-breaking cooldown.

Approach approved by maintainer (Option B) in #532.

Verified: `mise run security:sast` -> 0 findings; `uv sync --all-groups` and
`uv lock --check` both resolve.

Fixes #532
Co-Authored-By: Claude <noreply@anthropic.com>
@mandeep408 mandeep408 requested review from a team as code owners July 7, 2026 22:00
@mandeep408 mandeep408 self-assigned this Jul 8, 2026
@mandeep408 mandeep408 added the approved When an issue has been approved and ready label Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved When an issue has been approved and ready

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(security): semgrep uv-missing-dependency-cooldown on agent/pyproject.toml (masked behind #530)

3 participants