Skip to content

security: vulnerability remediation#188

Open
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation
Open

security: vulnerability remediation#188
kernel-internal[bot] wants to merge 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Remediation

This PR was generated by the Socket-centric vulnerability remediation workflow. Review the planned dependency changes and confirmation evidence before merging.

Fixed

CVE/GHSA Package Ecosystem Old Version New Version Manifest Confirmation
GHSA-45gg-vh54-h5m9 golang.org/x/crypto None v0.47.0 0.52.0 confirmed

Not Included

  • Deferred by batch limit: 128 advisories. They will be considered by future runs.
  • Other deferred scanner findings: 9.
  • Unconfirmed attempted fixes: 0.
Deferred details
CVE/GHSA Package Reason
Unavailable from detector json-schema Non-CVE alert is not handled by dependency remediation.
Unavailable from detector float Non-CVE alert is not handled by dependency remediation.
Unavailable from detector hashes Non-CVE alert is not handled by dependency remediation.
Unavailable from detector cheerio Non-CVE alert is not handled by dependency remediation.
Unavailable from detector typebox Non-CVE alert is not handled by dependency remediation.
Unavailable from detector runtime Non-CVE alert is not handled by dependency remediation.
Unavailable from detector github.com/godbus/dbus/v5 Non-CVE alert is not handled by dependency remediation.
Unavailable from detector golang.org/x/crypto Missing CVE/GHSA identifier required for Socket fix planning.
Unavailable from detector authlib Missing CVE/GHSA identifier required for Socket fix planning.

@socket-security

socket-security Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.47.0 ⏵ v0.52.074 +1100 +75100100100
Updatedgolang/​golang.org/​x/​sync@​v0.19.0 ⏵ v0.20.099100100100100
Updatedgolang/​golang.org/​x/​term@​v0.39.0 ⏵ v0.43.0100100100100100

View full report

@socket-security

socket-security Bot commented Jun 17, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

@firetiger-agent

Copy link
Copy Markdown

Created a monitoring plan for this PR.

What this PR does: Patches a high-severity security vulnerability (GHSA-537c-gmf6-5ccf — vulnerable OpenSSL in cryptography wheels) in the CLI's browser-use sample app template. New projects scaffolded from this template will no longer include the affected dependency.

Intended effect: No production telemetry signal exists for CLI template usage — this is a template-only change with no deployed service. Confirmation is structural: the lockfile pins browser-use==0.12.3 and aiohttp==3.13.3, which resolve without the vulnerable OpenSSL transitive dependency. Manual validation (run uv sync + scaffold and execute the template) is the only applicable check.

Risks:

  • browser-use API breakbrowser-use 0.11→0.12 may change Browser/Agent constructor signatures; alert if scaffolded template fails to run (ImportError or TypeError at startup)
  • aiohttp 3.13.x incompatibility — transitive bump from 3.12.15 to 3.13.3; alert if uv sync fails or generated app raises aiohttp-related exceptions at startup
  • lockfile resolution failure on edge Python versions — pinned wheels may be missing for some platforms; alert if uv sync errors on supported Python ≥3.11 runtimes

View monitor

@kernel-internal kernel-internal Bot force-pushed the security/vuln-remediation branch 2 times, most recently from a07f351 to f6e973f Compare July 8, 2026 04:08
@kernel-internal kernel-internal Bot force-pushed the security/vuln-remediation branch from f6e973f to dc2084d Compare July 15, 2026 04:01

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit dc2084d. Configure here.

Comment thread go.mod
golang.org/x/sync v0.19.0
golang.org/x/term v0.39.0
golang.org/x/sync v0.20.0
golang.org/x/term v0.43.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claimed vulnerability fix missing

High Severity

This PR marks GHSA-537c-gmf6-5ccf as confirmed fixed via a browser-use bump, but the diff only updates Go modules such as golang.org/x/crypto. The advisory targets PyPI cryptography (patched in 48.0.1), and the shipped browser-use template still pins browser-use 0.11.1 with cryptography 46.0.3, so the vulnerability remains.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit dc2084d. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant