fix: Update urllib3 to address CVE-2025-66418 and CVE-2025-66471 #patch (#188)

* fix: Update urllib3 to >= 2.6.0 for CVE-2025-66418 and CVE-2025-66471

Addresses security vulnerabilities in urllib3 versions < 2.6.0.

Closes #186

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* add: Document branch naming convention in CLAUDE.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Sync homebrew formula with tap and update urllib3 to 2.6.3

- Updated homebrew/cortexapps-cli.rb to match current tap formula
- Updated urllib3 resource from 2.4.0 to 2.6.3 (addresses CVEs)
- Added documentation about homebrew dependency update limitations

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: jeff-schnitter

CLAUDE.md

@@ -133,6 +133,12 @@ Follow the conventions in `STYLE.md`:
 
 ## Build & Release Process
 
+### Branch Naming Convention
+Use the GitHub-recommended format: `<issue-number>-<short-description>`
+- Example: `186-fix-urllib3-cve` for issue #186
+- Use lowercase kebab-case for the description
+- Keep the description concise (3-5 words)
+
 ### Release Workflow
 1. Create feature branch for changes
 2. Merge to `staging` branch for testing
@@ -146,6 +152,16 @@ Follow the conventions in `STYLE.md`:
    - Docker Hub (`cortexapp/cli:VERSION` and `cortexapp/cli:latest`)
    - Homebrew tap (`cortexapps/homebrew-tap`)
 
+### Homebrew Dependency Updates
+The `mislav/bump-homebrew-formula-action` only updates the main package URL and SHA256. It **cannot** update the `resource` blocks for Python dependencies (this is a documented limitation of the action).
+
+When updating Python dependency versions (e.g., urllib3, requests), the homebrew formula in `cortexapps/homebrew-tap` must be updated manually:
+1. Clone the `cortexapps/homebrew-tap` repository
+2. Update the resource blocks in `Formula/cortexapps-cli.rb` with new URLs and SHA256 hashes from PyPI
+3. Alternatively, use `brew update-python-resources cortexapps-cli` locally and copy the output
+
+**Important**: The `homebrew/cortexapps-cli.rb` file in this repository should be kept in sync with the tap formula for reference. Update it when making dependency changes.
+
 ### Commit Message Format
 Commits should be prefixed with:
 - `add`: New features

homebrew/cortexapps-cli.rb

@@ -2,40 +2,80 @@ class CortexappsCli < Formula
   include Language::Python::Virtualenv
   desc     "Command-line Interface for Cortexapps"
   homepage "https://github.com/cortexapps/cli"
-  url "https://files.pythonhosted.org/packages/9e/09/b639040aa375def127ee54e3d41c5159c67b9eff33418cfe852498e716e7/cortexapps_cli-0.1.0.tar.gz"
-  sha256  "d4fedbe9d258771ba4bc357e62ae0a8c3e62a8eb891c93d247b6791feea6e12a"
+  url "https://pypi.io/packages/source/c/cortexapps_cli/cortexapps_cli-1.7.0.tar.gz"
+  sha256  "a0f464cfbd0c870587c50cdfdd992f76ba128b8d0eb0bec66900a9d1c7be1942"
   license "MIT"
 
   depends_on "python@3.11"
 
   resource "certifi" do
-    url "https://files.pythonhosted.org/packages/98/98/c2ff18671db109c9f10ed27f5ef610ae05b73bd876664139cf95bd1429aa/certifi-2023.7.22.tar.gz"
-    sha256 "539cc1d13202e33ca466e88b2807e29f4c13049d6d87031a3c110744495cb082"
+    url "https://files.pythonhosted.org/packages/73/f7/f14b46d4bcd21092d7d3ccef689615220d8a08fb25e564b65d20738e672e/certifi-2025.6.15.tar.gz"
+    sha256 "d747aa5a8b9bbbb1bb8c22bb13e22bd1f18e9796defa16bab421f7f7a317323b"
   end
 
   resource "charset-normalizer" do
-    url "https://files.pythonhosted.org/packages/63/09/c1bc53dab74b1816a00d8d030de5bf98f724c52c1635e07681d312f20be8/charset-normalizer-3.3.2.tar.gz"
-    sha256 "f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"
+    url "https://files.pythonhosted.org/packages/e4/33/89c2ced2b67d1c2a61c19c6751aa8902d46ce3dacb23600a283619f5a12d/charset_normalizer-3.4.2.tar.gz"
+    sha256 "5baececa9ecba31eff645232d59845c07aa030f0c81ee70184a90d35099a0e63"
+  end
+
+  resource "click" do
+    url "https://files.pythonhosted.org/packages/b9/2e/0090cbf739cee7d23781ad4b89a9894a41538e4fcf4c31dcdd705b78eb8b/click-8.1.8.tar.gz"
+    sha256 "ed53c9d8990d83c2a27deae68e4ee337473f6330c040a31d4225c9574d16096a"
   end
 
   resource "idna" do
-    url "https://files.pythonhosted.org/packages/8b/e1/43beb3d38dba6cb420cefa297822eac205a277ab43e5ba5d5c46faf96438/idna-3.4.tar.gz"
-    sha256 "814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4"
+    url "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz"
+    sha256 "12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9"
+  end
+
+  resource "markdown-it-py" do
+    url "https://files.pythonhosted.org/packages/38/71/3b932df36c1a044d397a1f92d1cf91ee0a503d91e470cbd670aa66b07ed0/markdown-it-py-3.0.0.tar.gz"
+    sha256 "e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb"
+  end
+
+  resource "mdurl" do
+    url "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz"
+    sha256 "bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"
+  end
+
+  resource "pygments" do
+    url "https://files.pythonhosted.org/packages/7c/2d/c3338d48ea6cc0feb8446d8e6937e1408088a72a39937982cc6111d17f84/pygments-2.19.1.tar.gz"
+    sha256 "61c16d2a8576dc0649d9f39e089b5f02bcd27fba10d8fb4dcc28173f7a45151f"
   end
 
   resource "pyyaml" do
-    url "https://files.pythonhosted.org/packages/cd/e5/af35f7ea75cf72f2cd079c95ee16797de7cd71f29ea7c68ae5ce7be1eda0/PyYAML-6.0.1.tar.gz"
-    sha256 "bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"
+    url "https://files.pythonhosted.org/packages/54/ed/79a089b6be93607fa5cdaedf301d7dfb23af5f25c398d5ead2525b063e17/pyyaml-6.0.2.tar.gz"
+    sha256 "d584d9ec91ad65861cc08d42e834324ef890a082e591037abe114850ff7bbc3e"
   end
 
   resource "requests" do
-    url "https://files.pythonhosted.org/packages/9d/be/10918a2eac4ae9f02f6cfe6414b7a155ccd8f7f9d4380d62fd5b955065c3/requests-2.31.0.tar.gz"
-    sha256 "942c5a758f98d790eaed1a29cb6eefc7ffb0d1cf7af05c3d2791656dbd6ad1e1"
+    url "https://files.pythonhosted.org/packages/e1/0a/929373653770d8a0d7ea76c37de6e41f11eb07559b103b1c02cafb3f7cf8/requests-2.32.4.tar.gz"
+    sha256 "27d0316682c8a29834d3264820024b62a36942083d52caf2f14c0591336d3422"
+  end
+
+  resource "rich" do
+    url "https://files.pythonhosted.org/packages/a1/53/830aa4c3066a8ab0ae9a9955976fb770fe9c6102117c8ec4ab3ea62d89e8/rich-14.0.0.tar.gz"
+    sha256 "82f1bc23a6a21ebca4ae0c45af9bdbc492ed20231dcb63f297d6d1021a9d5725"
+  end
+
+  resource "shellingham" do
+    url "https://files.pythonhosted.org/packages/58/15/8b3609fd3830ef7b27b655beb4b4e9c62313a4e8da8c676e142cc210d58e/shellingham-1.5.4.tar.gz"
+    sha256 "8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de"
+  end
+
+  resource "typer" do
+    url "https://files.pythonhosted.org/packages/c5/58/a79003b91ac2c6890fc5d90145c662fd5771c6f11447f116b63300436bc9/typer-0.12.5.tar.gz"
+    sha256 "f592f089bedcc8ec1b974125d64851029c3b1af145f04aca64d69410f0c9b722"
+  end
+
+  resource "typing-extensions" do
+    url "https://files.pythonhosted.org/packages/d1/bc/51647cd02527e87d05cb083ccc402f93e441606ff1f01739a62c8ad09ba5/typing_extensions-4.14.0.tar.gz"
+    sha256 "8676b788e32f02ab42d9e7c61324048ae4c6d844a399eebace3d4979d75ceef4"
   end
 
   resource "urllib3" do
-    url "https://files.pythonhosted.org/packages/af/47/b215df9f71b4fdba1025fc05a77db2ad243fa0926755a52c5e71659f4e3c/urllib3-2.0.7.tar.gz"
-    sha256 "c97dfde1f7bd43a71c8d2a58e369e9b2bf692d1334ea9f9cae55add7d0dd0f84"
+    url "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz"
+    sha256 "1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"
   end
 
   def install
@@ -44,14 +84,24 @@ def install
 
   def caveats
     <<~EOS
-      Add the following line to your ~/.bash_profile
-      export PATH="#{bin}:$PATH"
+      To make the CLI available in your SYSTEM path, run this command to add the path to your shell's profile.
+
+      Not sure what shell you are using?  Run this command:
+      echo $SHELL
+
+      Bash:
+      export PATH="#{bin}:$PATH" >> ~/.bash_profile
+
+      zsh:
+      export PATH="#{bin}:$PATH" >> ~/.zprofile
 
       Restart your terminal for the settings to take effect.
+
+      Run 'cortex version' to verify.
     EOS
   end
 
   test do
-    assert_match "Cortex CLI #{version}", shell_output("#{bin}/cortex -v")
+    assert_match "#{version}", shell_output("#{bin}/cortex version")
   end
 end

poetry.lock

@@ -19,7 +19,7 @@ classifiers = [
 python = "^3.11"
 requests = "^2.32.4"
 pyyaml = ">= 6.0.1, < 7"
-urllib3 = ">= 2.2.2"
+urllib3 = ">= 2.6.0"
 typer = "^0.12.5"
 click = "<8.2"