Skip to content

build(deps): bump aiohttp from 3.13.5 to 3.14.1 in /src/ContentProcessor#611

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/src/ContentProcessor/aiohttp-3.14.0
Open

build(deps): bump aiohttp from 3.13.5 to 3.14.1 in /src/ContentProcessor#611
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/uv/src/ContentProcessor/aiohttp-3.14.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code labels Jun 4, 2026
Copilot AI review requested due to automatic review settings June 4, 2026 00:09
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026
@dependabot dependabot Bot added the python:uv Pull requests that update python:uv code label Jun 4, 2026
Copilot AI reviewed Jun 4, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@dependabot
build(deps): bump aiohttp from 3.13.5 to 3.14.1 in /src/ContentProcessor
8bb3012 
---
updated-dependencies:
- dependency-name: aiohttp
  dependency-version: 3.14.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): bump aiohttp from 3.13.5 to 3.14.0 in /src/ContentProcessor build(deps): bump aiohttp from 3.13.5 to 3.14.1 in /src/ContentProcessor Jun 16, 2026
@dependabot dependabot Bot force-pushed the dependabot/uv/src/ContentProcessor/aiohttp-3.14.0 branch from 18e1eca to 8bb3012 Compare June 16, 2026 12:46
@Ayaz-Microsoft Ayaz-Microsoft mentioned this pull request Jun 17, 2026
Open
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: add aiohttp and starlette as direct dependencies
4f57d7d 
- Add aiohttp==3.14.1 to ContentProcessor (fixes dependabot PR #611)
- Add aiohttp==3.14.1 to ContentProcessorAPI (fixes dependabot PR #610)
- Add starlette==1.3.1 to ContentProcessorWorkflow (fixes dependabot PR #624)

These were previously transitive dependencies. Adding them as direct
dependencies ensures we get security updates and have better version control.

Closes #611
Closes #610
Closes #624
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
c8f710b 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- python-multipart: added 0.0.31 (HIGH severity, new direct dependency)
- cryptography: added 48.0.1 (HIGH severity, new direct dependency)
- starlette: 1.0.0 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
a8fae6f 
Upgrades security-critical packages across ContentProcessorWorkflow and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- NO DIRECT CHANGES (relied on transitive dependencies)
- All vulnerable packages upgraded via parent dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • pyjwt 2.13.0 (via azure-identity, msal)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
74b73b0 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- Other vulnerable packages upgraded via transitive dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Ayaz-Microsoft added a commit that referenced this pull request Jun 17, 2026
@Ayaz-Microsoft
chore: upgrade vulnerable packages (Python + NPM)
6c6ad96 
Upgrades security-critical packages across ContentProcessor, ContentProcessorWorkflow, and ContentProcessorWeb modules.

ContentProcessorWorkflow (Python):
- aiohttp: 3.13.5 → 3.14.1 (MEDIUM severity, transitive → direct)
- python-multipart: 0.0.27 → 0.0.31 (HIGH severity)
- cryptography: 46.0.7 → 48.0.1 (HIGH severity)
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- starlette: 1.0.1 → 1.3.1 (HIGH severity, transitive → direct)

ContentProcessor (Python):
- pyjwt: 2.12.1 → 2.13.0 (MEDIUM/HIGH severity)
- Other vulnerable packages upgraded via transitive dependencies:
  • aiohttp 3.14.1 (via azure-functions-durable)
  • cryptography 48.0.1 (via azure-identity, msal, pyjwt)
  • python-multipart 0.0.31 (via fastapi)
  • starlette 1.3.1 (via fastapi, sse-starlette)

ContentProcessorWeb (NPM):
Direct dependencies:
- axios: 1.15.2 → 1.16.0 (HIGH severity)
- react-router-dom: 7.13.2 → 7.15.1 (HIGH/LOW severity)
- qs: 6.14.2 → 6.15.2 (MEDIUM severity)
- uuid: 11.1.0 → 11.1.1 (MEDIUM severity)
- webpack-dev-server: 5.2.1 → 5.2.4 (MEDIUM severity)

Transitive dependencies (via lock file):
- shell-quote → 1.8.4 (CRITICAL severity)
- form-data → 4.0.6 (HIGH severity)
- ws → 8.21.0 (HIGH severity)
- js-yaml → 4.2.0 (MEDIUM severity)
- launch-editor → 2.14.1 (MEDIUM severity)
- @babel/core → 7.29.6 (LOW severity)

Testing:
- All uv sync operations: PASSED
- ContentProcessorWeb build: PASSED
- No breaking changes
- Verified all secure versions present in lock files

Resolves ~114 security alerts (71% reduction from 161 → ~47).

Note: ContentProcessorAPI excluded per team guidance.

Closes #624
Closes #611
Closes #614
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file python:uv Pull requests that update python:uv code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant