Conversation
mrsabath
left a comment
mrsabath
left a comment
There was a problem hiding this comment.
Review Summary
Good CVE remediation PR bumping indirect dependency floors across 9 examples. Addresses CVE-2026-32871 (fastmcp), CVE-2026-34070 (langchain-core), CVE-2025-62727 (starlette), and CVE-2026-26007 (cryptography). Nice CVE comment annotations on each pin.
One issue: duplicate fastmcp entry in mcp/movie_tool/pyproject.toml.
Areas reviewed: Python (pyproject.toml dependency pins), lock files (spot-checked)
Commits: 2 commits, all signed-off ✓
CI status: All checks passing ✓
| "fastmcp>=2.11.0", | ||
| "requests>=2.32.3", | ||
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Duplicate fastmcp dependency — the existing "fastmcp>=2.11.0" on line 8 is still present, and this adds a second "fastmcp>=3.2.0" entry. uv resolves to the higher bound so it works, but having two entries for the same package is incorrect.
Please update the existing line 8 entry to >=3.2.0 (with the CVE comment) and remove this duplicate.
There was a problem hiding this comment.
Fixed. Please re-review.
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Review Summary
The original duplicate fastmcp comment on mcp/movie_tool/pyproject.toml was correctly fixed (replaced the old entry). However, the same duplicate pattern was introduced in 6 other tools — each now has both the old fastmcp entry and a new fastmcp>=3.2.0 line.
uv resolves to the higher bound so everything works, but the old entries should be replaced (like movie_tool) rather than duplicated.
CI status: All 10 checks passing ✓
Commits: 3 commits, all signed-off ✓
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "python-multipart>=0.0.22", # Indirect; prevents CVE-2026-24486 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: This adds fastmcp>=3.2.0 but the existing unversioned fastmcp dependency is still present in the deps list (visible in the lock file's requires-dist showing both { name = "fastmcp" } and { name = "fastmcp", specifier = ">=3.2.0" }). Same fix as movie_tool — bump the existing entry instead of adding a duplicate.
| "playwright>=1.55.0", | ||
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Duplicate fastmcp — the existing "fastmcp>=2.11.0" is still present (lock file shows both >=2.11.0 and >=3.2.0 in requires-dist). Replace the old entry with >=3.2.0 like was done for movie_tool.
| "requests>=2.0.0", | ||
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Same duplicate fastmcp issue — existing >=2.11.0 still present alongside the new >=3.2.0. Replace instead of adding.
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "python-multipart>=0.0.22", # Indirect; prevents CVE-2026-24486 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 | ||
| ] |
There was a problem hiding this comment.
must-fix: Same duplicate fastmcp — existing >=2.11.0 still present. Replace with >=3.2.0.
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "python-multipart>=0.0.22", # Indirect; prevents CVE-2026-24486 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Duplicate fastmcp — existing >=2.12.1 still present alongside new >=3.2.0. Replace the old entry.
| "authlib>=1.6.9", # Indirect; prevents CVE-2026-27962 | ||
| "urllib3>=2.6.3", # Indirect; prevents CVE-2025-66418 | ||
| "python-multipart>=0.0.22", # Indirect; prevents CVE-2026-24486 | ||
| "fastmcp>=3.2.0", # Indirect; prevents CVE-2026-32871 |
There was a problem hiding this comment.
must-fix: Duplicate fastmcp — existing >=2.11.0 still present alongside new >=3.2.0. Replace the old entry.
There was a problem hiding this comment.
Thanks for looking at this @pdettori . I have fixed the problems, please re-review.
Signed-off-by: Ed Snible <snible@us.ibm.com>
Signed-off-by: Ed Snible <snible@us.ibm.com>
pdettori
left a comment
pdettori
left a comment
There was a problem hiding this comment.
Review Summary
All previous review comments have been addressed. The duplicate fastmcp entries across all 7 flagged tools (cloud_storage_tool, flight_tool, image_tool, movie_tool, reservation_tool, slack_tool, weather_tool) have been cleaned up — each now has a single fastmcp>=3.2.0 entry with CVE annotation. Lock files updated correspondingly.
Areas reviewed: Python (pyproject.toml dependency pins), lock files
Commits: 5 commits, all signed-off ✓
CI status: All 10 checks passing ✓
3 participants
Summary
This PR resolves some Critical CVEs reported by Dependabot for this repo.