Skip to content

Fix high and critical Dependabot vulnerabilities across npm and Python dependencies#132

Draft
Copilot wants to merge 11 commits intodevfrom
copilot/fix-high-critical-vulnerabilities
Draft

Fix high and critical Dependabot vulnerabilities across npm and Python dependencies#132
Copilot wants to merge 11 commits intodevfrom
copilot/fix-high-critical-vulnerabilities

Conversation

Copy link
Contributor

Copilot AI commented Mar 2, 2026
edited
Loading

Addresses all High and Critical severity vulnerabilities surfaced by GitHub Dependabot across the frontend npm packages and Python services.

npm (src/frontend)

Package Old New CVE/Advisory
axios ^1.7.9 ^1.13.6 GHSA-jr5f-v2jv-69x6 (SSRF), GHSA-43fc-jf86-j433 (DoS)
react-router-dom ^7.1.3 ^7.13.1 GHSA-2w69-qvjg-hvjx, GHSA-8v8x-cx79-35w7 (XSS)
rollup ^4.34.4 ^4.59.0 GHSA-mw96-cpmx-2vgc (path traversal write)
form-data (transitive) <4.0.4 4.0.4+ GHSA-fjxv-7rqg-78g4 (CRITICAL – unsafe boundary RNG)
glob / minimatch (transitive) vulnerable patched ReDoS + command injection

package-lock.json regenerated via npm install && npm audit fix.

Python

Package Old New Location CVE
python-multipart 0.0.20 0.0.22 frontend/requirements.txt CVE-2026-24486 (arbitrary file write, CVSS 8.6)
fastapi 0.116.1 0.121.3 frontend/requirements.txt, backend-api/pyproject.toml pulls starlette ≥0.49.1
starlette (transitive) 0.47.3 0.50.0 backend-api/uv.lock CVE-2025-62727 (Range header O(n²) DoS, CVSS 7.5)
aiohttp 3.12.15 3.13.3 processor/pyproject.toml CVE-2025-69223 (zip bomb DoS, CVSS 7.5)

uv.lock files for backend-api and processor regenerated. Moderate-severity findings are out of scope per the issue.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

NirajC-Microsoft and others added 10 commits February 9, 2026 15:52
@NirajC-Microsoft
Update Troubleshoot doc
21ef3b8
@NirajC-Microsoft
Update Troubleshoot document 1
e7e85af
@Roopan-Microsoft
Merge pull request #114 from microsoft/psl-mtroubleshootdoc
c45274e 
docs: Update Troubleshoot doc
@Prajwal-Microsoft
docs: Add AI playbook section to README
efd26fc 
Added a section for the AI playbook with a description and link.
@Roopan-Microsoft
Merge pull request #118 from microsoft/cross-link-references
3cf79f9 
docs: Add AI playbook section to README
@Vamshi-Microsoft
Migrated GitHub Actions authentication from client secrets to OIDC
967bc86
@Vamshi-Microsoft
Added runner_os input (Deployment Environment) and Deleted deploy-win…
059f4d6 
…dows.yml since it's no longer needed
@Roopan-Microsoft
Merge pull request #119 from microsoft/dev
cfc396f 
chore: Dev to main
@Prajwal-Microsoft
Merge pull request #124 from microsoft/psl-oidc
f550d61 
ci: Migrated GitHub Actions authentication from client secrets to OIDC and combined Ubuntu & Windows workflows into a single pipeline
Initial plan
ed690a1
@Dhanushree-Microsoft
Fix high and critical security vulnerabilities in npm and Python depe…
57f50b4 
…ndencies

Co-authored-by: Dhanushree-Microsoft <250931221+Dhanushree-Microsoft@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix high and critical vulnerabilities Fix high and critical Dependabot vulnerabilities across npm and Python dependencies Mar 2, 2026
@Dhanushree-Microsoft Dhanushree-Microsoft changed the base branch from main to dev March 2, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft will be requested when the pull request is marked ready for review Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft will be requested when the pull request is marked ready for review Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft will be requested when the pull request is marked ready for review Prajwal-Microsoft is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft will be requested when the pull request is marked ready for review Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft will be requested when the pull request is marked ready for review aniaroramsft is a code owner

@Dongbumlee Dongbumlee Awaiting requested review from Dongbumlee Dongbumlee will be requested when the pull request is marked ready for review Dongbumlee is a code owner

@sethsteenken sethsteenken Awaiting requested review from sethsteenken sethsteenken will be requested when the pull request is marked ready for review sethsteenken is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft will be requested when the pull request is marked ready for review toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi will be requested when the pull request is marked ready for review nchandhi is a code owner

@dgp10801 dgp10801 Awaiting requested review from dgp10801 dgp10801 will be requested when the pull request is marked ready for review dgp10801 is a code owner

Assignees

Copilot code review Copilot

@Dhanushree-Microsoft Dhanushree-Microsoft

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Dhanushree-Microsoft @NirajC-Microsoft @Roopan-Microsoft @Prajwal-Microsoft @Vamshi-Microsoft