chore(deps): bump the pip group across 2 directories with 1 update#35
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
Bumps the pip group with 1 update in the /templates/skills/extended/documentation/notebooklm directory: [python-dotenv](https://github.com/theskumar/python-dotenv). Bumps the pip group with 1 update in the /templates/skills/knowledge/ai-agents/notebooklm-rag directory: [python-dotenv](https://github.com/theskumar/python-dotenv). Updates `python-dotenv` from 1.0.0 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.0.0...v1.2.2) Updates `python-dotenv` from 1.0.0 to 1.2.2 - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.0.0...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production dependency-group: pip - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: direct:production dependency-group: pip ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
|
Superseded by #36. |
revagomes
pushed a commit
to revagomes/agi-agent-kit
that referenced
this pull request
May 3, 2026
…dev#20) Fixes all 23 open CodeQL alerts on techwavedev/agi-agent-kit: Framework code (real risk): - techwavedev#36 py/command-line-injection: execution/fastapi_tool_bridge.py — replaced subprocess.run(cmd, shell=True, ...) with a strict allowlist + argv-list invocation (shell=False). Unknown commands are now rejected. Template boilerplate (shipped to user projects): - techwavedev#35 py/reflective-xss & techwavedev#17 js/reflected-xss (whatsapp-cloud-api webhook): echo the Meta verification challenge with explicit text/plain content-type so the reflected value cannot be interpreted as HTML/JS. - techwavedev#33 py/flask-debug: Flask debug mode is now opt-in via FLASK_DEBUG env var (default off) — the Werkzeug interactive debugger must never be exposed. - techwavedev#34 py/insecure-protocol (claude-monitor/api_bench.py): TLS context now enforces minimum_version = TLSv1.2, so benchmarks cannot negotiate SSLv3 or TLS 1.0/1.1. - techwavedev#16 js/incomplete-sanitization (ui-ux-pro-max template.ts): YAML frontmatter escaping now escapes backslashes BEFORE quotes, fixing the bypass. - techwavedev#15 js/shell-command-injection-from-environment (ui-ux-pro-max extract.ts): shell-based copy fallback replaced with execFile + argv array (no shell). - techwavedev#9 js/functionality-from-untrusted-source (algorithmic-art viewer.html): p5.js CDN include pinned with Subresource Integrity (sha384) and crossorigin="anonymous". - techwavedev#18–techwavedev#32 py/clear-text-{logging,storage}-sensitive-data (14 alerts across 007, whatsapp-cloud-api, instagram skill templates): refactored so bearer tokens are never bound to named locals that reach print(); added regex _redact() scrubbers at every print/write sink; masked phone numbers as PII before logging; removed full-response dumps that echoed the Authorization header back on error. Dependabot hardening (per operator request): - .github/dependabot.yml now also covers the nested ui-ux-pro-max/cli package and Docker images, splits production vs dev npm groups, and labels every PR with "security". Weekly cadence retained for pip and github-actions. CVE-triggered security updates remain always-on. All fixes are template-safe and preserve existing CLI behaviour — template scripts still emit readable diagnostic output, just without the credential flow paths CodeQL was tracking. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the pip group with 1 update in the /templates/skills/extended/documentation/notebooklm directory: python-dotenv.
Bumps the pip group with 1 update in the /templates/skills/knowledge/ai-agents/notebooklm-rag directory: python-dotenv.
Updates
python-dotenvfrom 1.0.0 to 1.2.2Release notes
Sourced from python-dotenv's releases.
... (truncated)
Changelog
Sourced from python-dotenv's changelog.
... (truncated)
Commits
36004e0Bump version: 1.2.1 → 1.2.2eb20252docs: update changelog for v1.2.2790c5c0Merge commit from fork43340daRemove the use ofshin tests (#612)09d7ceedocs: clarify override behavior and document FIFO support (#610)c8de288ci: improve workflow efficiency with best practices (#609)7bd9e3dAdd Windows testing to CI (#604)1baaf04Drop Python 3.9 support and update to PyPy 3.11 (#608)4a22cf8ci: enable testing on Python 3.14t (free-threaded) (#588)e2e8e77Fix license specifier (#597)Updates
python-dotenvfrom 1.0.0 to 1.2.2Release notes
Sourced from python-dotenv's releases.
... (truncated)
Changelog
Sourced from python-dotenv's changelog.
... (truncated)
Commits
36004e0Bump version: 1.2.1 → 1.2.2eb20252docs: update changelog for v1.2.2790c5c0Merge commit from fork43340daRemove the use ofshin tests (#612)09d7ceedocs: clarify override behavior and document FIFO support (#610)c8de288ci: improve workflow efficiency with best practices (#609)7bd9e3dAdd Windows testing to CI (#604)1baaf04Drop Python 3.9 support and update to PyPy 3.11 (#608)4a22cf8ci: enable testing on Python 3.14t (free-threaded) (#588)e2e8e77Fix license specifier (#597)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.