fix(ci): clear OSV-flagged uv.lock CVEs; rely on native Renovate lockFileMaintenance#1033
Open
JacobPEvans-personal wants to merge 1 commit into
Open
fix(ci): clear OSV-flagged uv.lock CVEs; rely on native Renovate lockFileMaintenance#1033JacobPEvans-personal wants to merge 1 commit into
JacobPEvans-personal wants to merge 1 commit into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new bash script, .github/scripts/uv-lock-upgrade.sh, designed to upgrade uv lockfiles to their latest allowed versions to clear transitive PyPI vulnerabilities. Consequently, mlx-server/uv.lock has been updated with several package upgrades. Additionally, Renovate's lockfile maintenance has been disabled for the pep621 manager in renovate.json5 to avoid conflicts with the new upgrade workflow. Feedback on the script suggests improving its robustness and local usability by adding a defensive directory check and conditionally printing GitHub Actions group logs only when running in a CI environment.
JacobPEvans-personal
force-pushed
the
chore/uv-lock-security-automation
branch
from
1a753ca to
ec885b8
Compare
…FileMaintenance orchestrator/uv.lock carried fixable transitive CVEs the required OSV gate flagged on every PR: langgraph-checkpoint 4.1.0->4.1.1 (GHSA-fjqc-hq36-qh5p), langgraph-sdk 0.3.14->0.4.2 (GHSA-w39p-vh2g-g8g5). `uv lock --upgrade` clears them; mlx stays pinned to 0.31.1 (#751) and the litellm/langsmith floors hold. Local osv-scanner: No issues found. Ongoing maintenance is NATIVE — no custom script/workflow. Renovate's pep621 manager already runs `uv lock --upgrade` for lockFileMaintenance (UvProcessor.updateArtifacts when isLockFileMaintenance), i.e. it refreshes uv.lock transitive deps on schedule. Those grouped uv LFM PRs ran historically (#842) but stopped merging because they failed the old global OSV gate; the differential gate (dryvist/.github#51) unblocks them. The earlier custom uv-lock-upgrade.sh + uv-lock-upgrade.yml + renovate.json5 disable are dropped as redundant reimplementations of that native behavior. osv-scheduled.yml: weekly full OSV scan of main — the safety net for the now- differential PR gate, surfacing accumulated/no-fix debt that PR-diff scans skip (same thin reusable-caller pattern as docs/osv-scan.yml). Assisted-by: Claude:claude-opus-4-8[1m] Claude-Session: https://claude.ai/code/session_01CYau7MWswJikoctB9MUgcZ
JacobPEvans-personal
force-pushed
the
chore/uv-lock-security-automation
branch
from
17b1435 to
61d0097
Compare
JacobPEvans-personal
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why these PRs always failed CI
The required OSV Scan gate (
ci-gate.yml → osv-scan,if: always(), not in Merge Gateallowed-skips) scans the whole repo on every PR and failed on two fixable transitive vulns inorchestrator/uv.lock:langgraph-checkpointlanggraph-sdkA
lock file maintenancePR only touchesflake.lock, so it could never clearuv.lockdebt → every PR was red.The simple, native fix
uv lock --upgradeclears the transitive CVEs (mlx stays pinned to 0.31.1 per #751; litellm/langsmith floors hold). Localosv-scanner→ No issues found.Ongoing maintenance is native — no custom script or workflow. Renovate's
pep621manager already runsuv lock --upgradeforlockFileMaintenance(UvProcessor.updateArtifactswhenisLockFileMaintenance), i.e. it refreshesuv.locktransitive deps on the existing Mon/Thu schedule with automerge. Those grouped uv-LFM PRs ran historically (e.g. #842) but stopped merging because they failed the old global OSV gate — the differential gate in dryvist/.github#51 unblocks them.What's in this PR
orchestrator/uv.lock+mlx-server/uv.lock—uv lock --upgrade(immediate remediation)..github/workflows/osv-scheduled.yml— weekly full OSV scan ofmain. This is the safety net for the now-differential PR gate (test: Add Nix module composition validation tests #51): PR-diff scans skip pre-existing debt, so a scheduled full scan is what surfaces anything that accumulates onmain. Thin reusable-workflow caller, same pattern asdocs/osv-scan.yml.Validation
osv-scanner --config=osv-scanner.tomlon both lockfiles → No issues found (only the documented no-fix torch/nltkignoreUntilentries filtered).actionlintonosv-scheduled.yml→ clean. Pre-commit (zizmor, yaml) → passed.pip-audit(Python Security gate) runs authoritatively on Linux CI (can't run locally — macOSensurepipSIGABRT in its resolver venv).Companion
dryvist/.github#51 makes the shared
_osv-scan.ymlPR gate differential (fail only on vulns a PR introduces) while keeping full-scan on push/schedule. That is what lets native Renovate uv-LFM PRs (and any unrelated PR) merge again.