Goal
The new pip-audit CI gate (added in the damage-control hardening PR) immediately surfaced 70 known CVEs across 13 packages. aiohttp (portal-facing) was bumped to >=3.13.4 in that PR and pip-audit was set advisory (non-blocking) so the rest don't block every PR. This issue tracks triaging the remainder.
Why it matters
The headline fix (aiohttp 3.13.2 → 3.13.4, CVE-2026-34515 / CVE-2026-34513) is shipped — that's the network-facing one. The remaining ~68 are mostly in heavy optional/transitive deps (the torch/onnxruntime chain pulled in by Kokoro TTS + Moonshine STT), which can't all be trivially bumped and aren't on the default install's hot path. But "advisory and ignored" rots — without triage the signal goes to noise.
Proposed approach
- Run
uvx pip-audit over uv export and group findings by: (a) runtime-default deps, (b) optional-extra deps (tts/stt), (c) dev-only.
- Bump (a) aggressively where a fixed version exists and resolves cleanly under py3.10–3.13.
- For (b)/(c), bump where safe; for un-fixable transitive CVEs, add a documented
pip-audit --ignore-vuln <ID> allowlist with a one-line justification each.
- Consider scoping the CI audit to runtime deps only (export without optional extras) so the gate tracks the deps that actually ship by default, and keep the full audit on the weekly cron.
Effort / risk
Effort M (mostly triage + version bumps + lock refresh). Risk: low; bumps are verified by the existing test suite.
Goal
The new
pip-auditCI gate (added in the damage-control hardening PR) immediately surfaced 70 known CVEs across 13 packages.aiohttp(portal-facing) was bumped to>=3.13.4in that PR and pip-audit was set advisory (non-blocking) so the rest don't block every PR. This issue tracks triaging the remainder.Why it matters
The headline fix (
aiohttp 3.13.2→3.13.4, CVE-2026-34515 / CVE-2026-34513) is shipped — that's the network-facing one. The remaining ~68 are mostly in heavy optional/transitive deps (thetorch/onnxruntimechain pulled in by Kokoro TTS + Moonshine STT), which can't all be trivially bumped and aren't on the default install's hot path. But "advisory and ignored" rots — without triage the signal goes to noise.Proposed approach
uvx pip-auditoveruv exportand group findings by: (a) runtime-default deps, (b) optional-extra deps (tts/stt), (c) dev-only.pip-audit --ignore-vuln <ID>allowlist with a one-line justification each.Effort / risk
Effort M (mostly triage + version bumps + lock refresh). Risk: low; bumps are verified by the existing test suite.