Skip to content

chore: updates to dependencies for CVE fixes + zizmor fixes#73

Merged
jtroup merged 2 commits intomainfrom
elmo/security
Mar 20, 2026
Merged

chore: updates to dependencies for CVE fixes + zizmor fixes#73
jtroup merged 2 commits intomainfrom
elmo/security

Conversation

@jtroup
Copy link
Contributor

@jtroup jtroup commented Mar 7, 2026

what

  • Upgraded all dependencies via uv lock --upgrade to pull in
    CVE fixes
  • Removed requirements.txt and its generation hook from
    .pre-commit-config.yaml now that Dependabot parses uv.lock
    natively
  • Added zizmor to .pre-commit-config.yaml as a pre-commit hook
  • Fixed all zizmor findings in CI/release workflows:
    • Added persist-credentials: false to all actions/checkout
      steps (artipacked)
    • Added explicit permissions: contents: read at workflow and
      job level where missing (excessive-permissions)
    • Replaced ${{ github.ref_name }} inline in a run: block
      with an env variable to prevent template injection
      (template-injection)

why

CVE fixes in transitive dependencies. Dependabot now supports
uv.lock directly, making the generated requirements.txt
redundant. zizmor is added to pre-commit to catch GitHub Actions
security issues early. The workflow fixes address the security
findings zizmor surfaced.

testing

zizmor . reports no findings. Pre-commit hooks pass.

docs

No documentation changes required.

🤖 Generated with Claude Code

@jtroup jtroup requested a review from a team as a code owner March 7, 2026 17:51
cursor[bot]
cursor bot reviewed Mar 7, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

tvansteenburgh
tvansteenburgh reviewed Mar 10, 2026
View reviewed changes
tvansteenburgh
tvansteenburgh approved these changes Mar 10, 2026
View reviewed changes
Copy link
Contributor

@tvansteenburgh tvansteenburgh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jtroup

@jtroup @tvansteenburgh
Update .pre-commit-config.yaml
3aa038c 
Co-authored-by: Tim Van Steenburgh <tvansteenburgh@gmail.com>
@jtroup jtroup requested a review from a team March 17, 2026 19:24
@jtroup jtroup merged commit 11eed05 into main Mar 20, 2026
10 checks passed
@jtroup jtroup deleted the elmo/security branch March 20, 2026 00:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@tvansteenburgh tvansteenburgh tvansteenburgh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jtroup @tvansteenburgh