fix(deps): resolve all 18 dependabot vulnerabilities

dviejokfs · dviejokfs · commit 9584d63f9a4e · 2026-04-05T08:30:05.000+02:00
aiohttp (10 alerts — pip):
- Bump minimum from &gt;=3.11 to &gt;=3.13.5 in sdks/python/pyproject.toml
- Resolves: duplicate Host headers, null bytes in headers, response
  splitting, cookie leaks, memory DoS, multipart bypass, CRLF injection,
  unbounded DNS cache, unlimited trailer headers, SSRF on Windows

Next.js (5 alerts — npm):
- simple-nextjs fixture: 14.1.0 → 15.3.3 (+ React 19)
- demo app: ^15.3.0 → ^15.3.3
- basic example: 16.1.5 → 16.2.2
- preset fixture: 16.2.1 → 16.2.2
- Resolves: disk cache growth, request smuggling, postponed buffering
  DoS, null origin CSRF bypass (dev + Server Actions)

astral-tokio-tar (1 alert — rust):
- testcontainers 0.27.1 → 0.27.2 (astral-tokio-tar 0.5.6 → 0.6.0)
- Resolves: insufficient PAX extension validation during extraction
- Dev-dependency only, zero production impact
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -271,7 +271,7 @@ woothee = "0.13.0"
 # Using git version for security fixes:
 # - Uses astral-tokio-tar instead of vulnerable tokio-tar (RUSTSEC-2025-0111)
 # - Compatible with bollard 0.19.x
-testcontainers =  "0.27.1"
+testcontainers =  "0.27.2"
 
 
 [profile.release]
@@ -309,10 +309,7 @@ opt-level = 2      # Optimize dependencies
 #    - Fix: Requires russh to upgrade libcrux dependencies
 #    - Status: Dev-dependency only, zero production impact
 #
-# 4. GHSA-xxx: astral-tokio-tar 0.5.6 (HIGH severity, dev-dependency only)
-#    - Path: testcontainers → astral-tokio-tar 0.5.6
-#    - Fix: No upstream fix available
-#    - Status: Dev-dependency only (testcontainers), zero production impact
+# 4. astral-tokio-tar: RESOLVED by upgrading testcontainers 0.27.1 → 0.27.2
 #
 # Previously resolved:
 # - atty 0.2.14: RESOLVED in Pingora 0.7.0 (upgraded to clap 4.5)
diff --git a/crates/temps-deployments/tests/fixtures/simple-nextjs/package.json b/crates/temps-deployments/tests/fixtures/simple-nextjs/package.json
@@ -9,9 +9,9 @@
     "lint": "next lint"
   },
   "dependencies": {
-    "next": "14.1.0",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0"
+    "next": "15.3.3",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0"
   },
   "engines": {
     "node": ">=18.0.0"
diff --git a/crates/temps-presets/tests/fixtures/nextjs-hello-world/package.json b/crates/temps-presets/tests/fixtures/nextjs-hello-world/package.json
@@ -8,7 +8,7 @@
     "start": "next start"
   },
   "dependencies": {
-    "next": "16.2.1",
+    "next": "16.2.2",
     "react": "19.2.4",
     "react-dom": "19.2.4"
   },
diff --git a/examples/nextjs/basic/package.json b/examples/nextjs/basic/package.json
@@ -11,7 +11,7 @@
   "dependencies": {
     "react": "19.2.3",
     "react-dom": "19.2.3",
-    "next": "16.1.5"
+    "next": "16.2.2"
   },
   "devDependencies": {
     "babel-plugin-react-compiler": "1.0.0",
diff --git a/sdks/python/pyproject.toml b/sdks/python/pyproject.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
 description = "Python SDK for building Temps external plugins"
 requires-python = ">=3.12"
 dependencies = [
-    "aiohttp>=3.11",
+    "aiohttp>=3.13.5",
 ]
 
 [tool.uv]
diff --git a/sdks/python/uv.lock b/sdks/python/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ version = "0.1.0"`
`4`	`4`	`description = "Python SDK for building Temps external plugins"`
`5`	`5`	`requires-python = ">=3.12"`
`6`	`6`	`dependencies = [`
`7`		`- "aiohttp>=3.11",`
	`7`	`+ "aiohttp>=3.13.5",`
`8`	`8`	`]`
`9`	`9`
`10`	`10`	`[tool.uv]`