Conversation
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
rubambiza
left a comment
rubambiza
left a comment
There was a problem hiding this comment.
Good security housekeeping — the CVE annotations on each pin are excellent practice. CI is green. A few minor nits:
-
Double "CVE" typo — several comments read
"CVE CVE-2026-24486"instead of"CVE-2026-24486". Appears in file_organizer, generic_agent, cloud_storage_tool, slack_tool, weather_tool, and reservation_tool pyproject.toml files. -
Inconsistent Docker tag in Makefile —
test-a2atags images with$${f}(e.g.,a2a/weather_servicewith a slash), whiletest-mcpuses$${f##*/}(just the directory name). The a2a variant may produce unexpected tag names. -
Makefile comment typo — "MCP exampleDocker" is missing a space.
-
reservation_tool CVE pins in dev deps —
mcp/reservation_tool/pyproject.tomladds authlib, urllib3, and python-multipart under[dependency-groups] devrather than[project] dependencies. Since these address runtime CVEs, they should probably be in runtime deps.
None of these block the merge.
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
2 participants
Summary
Upgrade library versions to avoid recent CVEs.
Introduce new make targets to rebuild
uv.lockfiles and to test all Docker builds.(Optional) Testing Instructions
make testwill verify that all of the uv.lock files are in sync.After merging, we will see a new Dependabot status, which should indicate no critical and (probably) no high severity CVEs.