Skip to content

Fix security vulnerabilities in Python and Node.js dependencies for non-deprecated components#1189

Draft
Copilot wants to merge 1 commit intomainfrom
copilot/review-dependabot-security-issues
Draft

Fix security vulnerabilities in Python and Node.js dependencies for non-deprecated components#1189
Copilot wants to merge 1 commit intomainfrom
copilot/review-dependabot-security-issues

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 31, 2026

Summary

This PR addresses security vulnerabilities identified via pip-audit and npm audit across all non-deprecated components in the IMAGE-server repository. All deprecated folders (handlers/deprecated/*, preprocessors/deprecated/*) are excluded from changes.

Addresses issue #1111 — Review dependabot issues for non-deprecated containers.

Python dependency updates (33 requirements.txt files)

Package From To CVEs Fixed
Flask 2.2.5, 3.0.3, 3.1.0 3.1.3 CVE-2026-27205, CVE-2025-47278
Werkzeug 3.0.3, 3.1.0, 3.1.3 3.1.6 CVE-2024-49766, CVE-2024-49767, CVE-2025-66221, CVE-2026-21860, CVE-2026-27199
requests 2.32.0, 2.32.3 2.33.0 CVE-2024-47081, CVE-2026-25645
Pillow 9.4.0–11.3.0 12.1.1 CVE-2026-25990 (out-of-bounds write)
Jinja2 3.1.2, 3.1.4 3.1.6 CVE-2024-56201, CVE-2024-56326, CVE-2025-27516 (arbitrary code exec)
urllib3 1.26.9 2.6.3 CVE-2024-37891 + 6 others
opencv-python 4.7.0.72 4.10.0.84 GHSA-qr4w-53vh-m672
Flask-Cors 5.0.0 6.0.0 CVE-2024-6839, CVE-2024-6844, CVE-2024-6866
gunicorn 22.0.0 23.0.0 Maintenance update
jsonschema 3.2.0 4.23.0 Maintenance update

Node.js dependency updates (9 package-lock.json files)

All 9 non-deprecated Node.js components now have 0 npm audit vulnerabilities.

Package From To Issues Fixed
express 4.21.2 4.22.1 path-to-regexp ReDoS, qs DoS, body-parser issues
tar-fs 2.1.2 2.1.4 GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v
+ picomatch, minimatch, flatted, js-yaml, brace-expansion, ajv

Compatibility analysis

All Python services use basic Flask APIs (Flask, request, jsonify) with no usage of removed/deprecated features. The few Werkzeug imports (FileWrapper, BaseConverter) remain available in the new versions. All new dependency versions were verified against the GitHub Advisory Database.

Not updated (high risk of code breakage)

  • torch/torchvision: Upgrades could break ML model loading and inference
  • express 5.x: Major breaking API changes across all Node.js components

Testing

  • pip-audit confirms all non-deprecated Python components are vulnerability-free
  • npm audit confirms 0 vulnerabilities across all 9 Node.js components
  • Code review: passed with no issues
  • CodeQL: no code changes to analyze (dependency-only updates)

@jeffbl
Fix security vulnerabilities in Python and Node.js dependencies acros…
6cfbd25 
…s all non-deprecated components

Agent-Logs-Url: https://github.com/Shared-Reality-Lab/IMAGE-server/sessions/5eef10f8-42b4-4307-a1b7-4c4770ea980c

Co-authored-by: jeffbl <2095406+jeffbl@users.noreply.github.com>
@jeffbl jeffbl self-assigned this Mar 31, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jeffbl jeffbl

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffbl