Skip to content

Fix 14 Dependabot security alerts by updating dependency pins#196

Open
MrTango wants to merge 3 commits intomasterfrom
secfixes
Open

Fix 14 Dependabot security alerts by updating dependency pins#196
MrTango wants to merge 3 commits intomasterfrom
secfixes

Conversation

@MrTango
Copy link
Copy Markdown
Contributor

@MrTango MrTango commented Mar 25, 2026

Bump constraint-dependencies to patched versions:

  • Jinja2 3.1.5 -> 3.1.6 (CVE-2025-27516, sandbox breakout)
  • lxml-html-clean 0.4.3 -> 0.4.4 (CVE-2026-28348, CVE-2026-28350)
  • multipart 1.2.1 -> 1.2.2 (CVE-2026-28356, ReDoS)
  • Pillow 11.3.0 -> 12.1.1 (CVE-2026-25990, out-of-bounds write)
  • PyJWT 2.10.1 -> 2.12.0 (CVE-2026-32597, unknown crit header)
  • requests 2.32.3 -> 2.33.0 (CVE-2024-47081, CVE-2026-25645)
  • urllib3 2.3.0 -> 2.6.3 (5 CVEs including decompression bombs)
  • protobuf 6.32.1 -> 6.33.5 (CVE-2026-0994, JSON recursion bypass)
  • robotframework-browser 19.10.1 -> 19.12.7 (chain fix for protobuf)
  • robotframework-assertion-engine 3.0.3 -> 4.0.0 (chain fix)
  • wrapt 1.17.3 -> 2.1.2 (chain fix)

Remaining open: CVE-2026-4539 (Pygments ReDoS) - no upstream patch yet.

MrTango added 3 commits March 25, 2026 23:44
@MrTango
Fix 14 Dependabot security alerts by updating dependency pins
0e1ae6a 
Bump constraint-dependencies to patched versions:
- Jinja2 3.1.5 -> 3.1.6 (CVE-2025-27516, sandbox breakout)
- lxml-html-clean 0.4.3 -> 0.4.4 (CVE-2026-28348, CVE-2026-28350)
- multipart 1.2.1 -> 1.2.2 (CVE-2026-28356, ReDoS)
- Pillow 11.3.0 -> 12.1.1 (CVE-2026-25990, out-of-bounds write)
- PyJWT 2.10.1 -> 2.12.0 (CVE-2026-32597, unknown crit header)
- requests 2.32.3 -> 2.33.0 (CVE-2024-47081, CVE-2026-25645)
- urllib3 2.3.0 -> 2.6.3 (5 CVEs including decompression bombs)
- protobuf 6.32.1 -> 6.33.5 (CVE-2026-0994, JSON recursion bypass)
- robotframework-browser 19.10.1 -> 19.12.7 (chain fix for protobuf)
- robotframework-assertion-engine 3.0.3 -> 4.0.0 (chain fix)
- wrapt 1.17.3 -> 2.1.2 (chain fix)

Remaining open: CVE-2026-4539 (Pygments ReDoS) - no upstream patch yet.
@MrTango
Add robot test integration with pytest and Plone test layers
756234f 
- Add PRODUCTS_EASYNEWSLETTER_ACCEPTANCE_TESTING layer to testing.py
- Create tests/test_robot.py using robotsuite + layered() pattern
- Add robotsuite to dev dependencies in pyproject.toml
- Add robot CI job with headless Chrome browser support
@MrTango
Fix CI failures: lint, robot test import order and broken test logic
0d6de5e 
- Fix import ordering in test_robot.py (stdlib before third-party/local)
- Exclude robot tests from regular test job; robot tests require Chrome
  and run exclusively in the dedicated robot CI job
- Fix Newsletter add test: fill required fields sender_email, sender_name,
  test_email that caused form validation to fail silently
- Fix subscriber robot test: navigate inside Newsletter container, use
  email field instead of non-existent title widget, create subscriber
  with correct type and container
- Fix issue robot test: navigate inside Newsletter container, use correct
  content type and URL instead of wrong ++add++Newsletter
- Update uv.lock to include robotsuite in dev dependencies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MrTango