From d3140961d12fab5f22acdc0e5b2c2c469bcc3c1b Mon Sep 17 00:00:00 2001 From: sbussiso Date: Thu, 16 Apr 2026 20:15:28 -0700 Subject: [PATCH] fix(deps): patch Dependabot alerts for authlib and @clerk/shared - backend: pin authlib>=1.6.11 to resolve GHSA-jj8c-mmj3-mmgv (CSRF in authlib.integrations.*_client.OAuth with cache). Transitive via fastmcp; not reached by our code but patched for defense in depth. - frontend: override @clerk/shared to ^3.47.4 to resolve GHSA-vqx2-fgx2-5wq9 (createRouteMatcher bypass). Transitive via @clerk/clerk-react; only affects @clerk/nextjs/nuxt/astro middleware, not our Vite SPA, but patched since it is critical. Co-Authored-By: Claude Opus 4.7 --- backend/pyproject.toml | 4 ++++ backend/uv.lock | 8 +++++--- frontend/package-lock.json | 6 +++--- frontend/package.json | 3 +++ 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/backend/pyproject.toml b/backend/pyproject.toml index 3f9e6f0..81fd3ef 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -17,6 +17,10 @@ dependencies = [ "httpx>=0.27.0", "svix>=1.89.0", "clerk-backend-api>=5.0.6", + # Pinned >=1.6.11 for GHSA-jj8c-mmj3-mmgv — CSRF in + # authlib.integrations.*_client.OAuth when cache is used. + # Transitive via fastmcp; not reached directly by our code. + "authlib>=1.6.11", "slowapi>=0.1.9", "redis>=5.0.0", "websockets>=12.0", diff --git a/backend/uv.lock b/backend/uv.lock index 4a2a7ea..1139281 100644 --- a/backend/uv.lock +++ b/backend/uv.lock @@ -56,14 +56,14 @@ wheels = [ [[package]] name = "authlib" -version = "1.6.9" +version = "1.6.11" source = { registry = "https://pypi.org/simple" } dependencies = [ { name = "cryptography" }, ] -sdist = { url = "https://files.pythonhosted.org/packages/af/98/00d3dd826d46959ad8e32af2dbb2398868fd9fd0683c26e56d0789bd0e68/authlib-1.6.9.tar.gz", hash = "sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04", size = 165134, upload-time = "2026-03-02T07:44:01.998Z" } +sdist = { url = "https://files.pythonhosted.org/packages/28/10/b325d58ffe86815b399334a101e63bc6fa4e1953921cb23703b48a0a0220/authlib-1.6.11.tar.gz", hash = "sha256:64db35b9b01aeccb4715a6c9a6613a06f2bd7be2ab9d2eb89edd1dfc7580a38f", size = 165359, upload-time = "2026-04-16T07:22:50.279Z" } wheels = [ - { url = "https://files.pythonhosted.org/packages/53/23/b65f568ed0c22f1efacb744d2db1a33c8068f384b8c9b482b52ebdbc3ef6/authlib-1.6.9-py2.py3-none-any.whl", hash = "sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3", size = 244197, upload-time = "2026-03-02T07:44:00.307Z" }, + { url = "https://files.pythonhosted.org/packages/57/2f/55fca558f925a51db046e5b929deb317ddb05afed74b22d89f4eca578980/authlib-1.6.11-py2.py3-none-any.whl", hash = "sha256:c8687a9a26451c51a34a06fa17bb97cb15bba46a6a626755e2d7f50da8bff3e3", size = 244469, upload-time = "2026-04-16T07:22:48.413Z" }, ] [[package]] @@ -698,6 +698,7 @@ name = "opensentry-backend" version = "2.1.0" source = { virtual = "." } dependencies = [ + { name = "authlib" }, { name = "clerk-backend-api" }, { name = "fastapi" }, { name = "fastmcp" }, @@ -724,6 +725,7 @@ dev = [ [package.metadata] requires-dist = [ + { name = "authlib", specifier = ">=1.6.11" }, { name = "clerk-backend-api", specifier = ">=5.0.6" }, { name = "fastapi", specifier = ">=0.135.2" }, { name = "fastmcp", specifier = ">=3.0.0" }, diff --git a/frontend/package-lock.json b/frontend/package-lock.json index f87b9c0..9e0d867 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -285,9 +285,9 @@ } }, "node_modules/@clerk/shared": { - "version": "3.47.3", - "resolved": "https://registry.npmjs.org/@clerk/shared/-/shared-3.47.3.tgz", - "integrity": "sha512-jG0wMIZuuc8zaKieg9Os8ocTphG+llluRukUUdyVnu4+ZI1syVf+dkpDP3ZK69yLavTX3D0KAmkmQqTPzQV/Nw==", + "version": "3.47.4", + "resolved": "https://registry.npmjs.org/@clerk/shared/-/shared-3.47.4.tgz", + "integrity": "sha512-0O5/zgB5SO26PKarAIw7uj4j+4JsnT2/uiJ7SPI3LQMb62sM+AjDlVadcXuYc+4sY6w1szrAIVepI5Bkv57hnQ==", "hasInstallScript": true, "license": "MIT", "dependencies": { diff --git a/frontend/package.json b/frontend/package.json index 66cbe73..79a42cc 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -22,6 +22,9 @@ "react-dom": "^19.2.4", "react-router-dom": "^7.13.2" }, + "overrides": { + "@clerk/shared": "^3.47.4" + }, "devDependencies": { "@eslint/js": "^9.39.4", "@types/react": "^19.2.14",