build(deps): bump Rust and Python deps to clear CI security gates#444
Merged
Conversation
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
362ba2f to
4d86fa7
Compare
katriendg
changed the title
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
4d86fa7 to
ed53d4e
Compare
- Update rand, openssl, rustls-webpki across all Rust Cargo.lock files - Upgrade lxml 5.3.0 to 6.1.0 in onvif-camera-simulator 🔒 - Generated by Copilot
katriendg
force-pushed
the
fix/bundle-cargo-grype
branch
from
ed53d4e to
0c18be7
Compare
Collaborator
Author
|
Note our current CI is failing on ORT CDN, seems other users are facing it as well, which we expect to be transient |
bindsi
approved these changes
Apr 24, 2026
bindsi
approved these changes
Apr 24, 2026
29 tasks
katriendg
added a commit
that referenced
this pull request
Apr 30, 2026
Migrate GitHub-side release management from GitVersion + the custom `create-release` workflow to [release-please-action v4.4.1](https://github.com/googleapis/release-please-action) using the `simple` release type with a manifest-driven configuration. The new workflow is `workflow_dispatch` only (no auto-trigger on push) so releases remain explicitly gated. This PR also removes the parallel Azure DevOps release-branch automation that was tightly coupled to GitVersion, since release management now runs from GitHub. The Azure DevOps `github-push` mirror pipeline is retained but trimmed of GitVersion references. Net change: **17 files, +148 / -1364**. ## Related Issue Relates to WI-01 (replace GitVersion with release-please on GitHub side). ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Blueprint modification or addition - [ ] Component modification or addition - [x] Documentation update - [x] CI/CD pipeline change - [ ] Other (please describe): ## Implementation Details **Added** - `.github/workflows/release-please.yml` — `workflow_dispatch`-only workflow invoking `googleapis/release-please-action@v4.4.1` (pinned). - `release-please-config.json` — `simple` release type, single root package. - `.release-please-manifest.json` — pinned to current version `2.8.0`. **Disabled** (kept on disk, renamed so GitHub no longer schedules it) - `.github/workflows/create-release.yml` → `.github/workflows/create-release.yml.disabled` **Deleted** - `GitVersion.yml` (root) - `.azuredevops/pipelines/release-branch-create.yml` - `.azuredevops/docs/release-branch-create.md` - `.azdo/pipelines/github-push.yml` (superseded by `.azuredevops/pipelines/github-push.yml`) **Modified (docs + ADO mirror)** - `docs/build-cicd/release-workflow.md` — describes release-please trigger, manifest, and version bump flow. - `docs/build-cicd/configuration-reference.md` — replaces GitVersion config reference with release-please config reference. - `.azuredevops/docs/github-push.md` — removes GitVersion language. - `.azuredevops/pipelines/github-push.yml` — removes GitVersion variable group and step. - `.azuredevops/README.md` — drops the release-branch-create entry. - `.github/copilot-instructions.md` — points contributors at release-please instead of GitVersion. ## Testing Performed - [ ] Terraform plan/apply - [ ] Blueprint deployment test - [ ] Unit tests - [ ] Integration tests - [ ] Bug fix includes regression test (see [Test Policy](docs/contributing/testing-validation.md)) - [x] Manual validation - [x] Other: actionlint, yamllint, prettier --check, markdownlint-cli2 all pass on the changed files. ## Validation Steps ```bash # YAML / Actions actionlint .github/workflows/release-please.yml yamllint .github/workflows/release-please.yml release-please-config.json .release-please-manifest.json # Formatting npx prettier --check release-please-config.json .release-please-manifest.json .github/workflows/release-please.yml # Markdown npx markdownlint-cli2 \ docs/build-cicd/release-workflow.md \ docs/build-cicd/configuration-reference.md \ .azuredevops/docs/github-push.md \ .azuredevops/README.md \ .github/copilot-instructions.md ``` All validators reported no errors at HEAD `6427d727`. ## Checklist - [x] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [ ] All new and existing tests passed - [ ] I have run `terraform fmt` on all Terraform code - [ ] I have run `terraform validate` on all Terraform code - [ ] I have run `az bicep format` on all Bicep code - [ ] I have run `az bicep build` to validate all Bicep code - [x] I have checked for any sensitive data/tokens that should not be committed - [x] Lint checks pass (run applicable linters for changed file types) Terraform / Bicep / test items are N/A — this PR is JSON + YAML + Markdown only. ## Security Review - [x] No credentials, secrets, or tokens are hardcoded or logged - [x] RBAC and identity changes follow least-privilege principles - [x] No new network exposure or public endpoints introduced without justification - [x] Dependency additions or updates have been reviewed for known vulnerabilities - [x] Container image changes use pinned digests or SHA references The diff touches only release tooling configuration and docs. The release-please action is pinned to `v4.4.1`. No code paths, identity boundaries, or network resources are changed. Note: a Grype scan of the repo (unrelated to files modified by this PR) reports 4 pre-existing CVEs in dependencies (`go.opentelemetry.io/otel`, `postcss`, `uuid`, `github.com/jackc/pgx/v5`). These should be addressed in a separate dependency-bump PR per precedent (#427, #444). ## Additional Notes - HEAD: `6427d727` (up to date with `main` at `c01b934f`). - The new workflow is intentionally `workflow_dispatch`-only for this rollout; once verified, a follow-up PR can enable the standard `push: branches: [main]` trigger. - The ADO `release-branch-create` pipeline is removed because release-branch creation is now handled by release-please's release PR. The ADO `github-push` mirror remains. ## Screenshots (if applicable) N/A — no UI changes. --------- Co-authored-by: Bill Berry <wbery@microsoft.com> Co-authored-by: Katrien De Graeve <katriendg@users.noreply.github.com>
WilliamBerryiii
added a commit
that referenced
this pull request
May 14, 2026
🤖 I have created a release *beep* *boop* --- ## [3.0.0](v2.8.0...v3.0.0) (2026-05-14) ### ⚠ BREAKING CHANGES * **terraform:** upgrade required_version floor from 1.9.8 to 1.12.0 ([#487](#487)) ### Features * **500-application:** add 514-wasm-msg-to-dss WASM map operator with DSS enrichment pattern ([#356](#356)) ([db882a5](db882a5)) * add tags support to all blueprints and remove deprecated federated identity reference ([#483](#483)) ([c9c8967](c9c8967)) * add unit tests for application services (Rust + Python) ([#372](#372)) ([220ab28](220ab28)) * **avro-to-json:** add unit tests for wire format config parsing ([#368](#368)) ([65bc924](65bc924)) * **build:** add multi-language fuzzing infra (CFLite + Codecov flags) ([#453](#453)) ([7407230](7407230)) * **ci:** enforce rust crate registration in codecov coverage ([#155](#155)) ([#449](#449)) ([9b33d69](9b33d69)) * **docs:** migrate from Docsify to Docusaurus ([#399](#399)) ([ca06002](ca06002)) * **iot-ops:** upgrade AIO 2604 release (1.3.70), harden schema-registry RBAC ([#471](#471)) ([e772b74](e772b74)) * **release-please:** implement PAI 1+6 jobs DAG with binary integrity and tag signature verification ([#501](#501)) ([dc58f10](dc58f10)) * **terraform:** upgrade required_version floor from 1.9.8 to 1.12.0 ([#487](#487)) ([49229da](49229da)) ### Bug Fixes * **ai-edge-inference:** bump notify 7 to 8 (partial RUSTSEC-2024-0384) ([#469](#469)) ([f548586](f548586)) * **build:** pin all dependencies for OSSF Scorecard ([#402](#402)) ([79e6971](79e6971)) * **build:** resolve all 4 main branch CI lint failures ([#365](#365)) ([f90ad6f](f90ad6f)) * **build:** use valid 'rust' cataloger tag for Syft v1.42.3+ ([#423](#423)) ([f168e56](f168e56)) * **deps:** bump openssl to 0.10.79 across remaining Rust services ([#480](#480)) ([14e6f16](14e6f16)) * **docker:** replace awk with cut for hash verification in Dockerfiles and templates ([#493](#493)) ([80e97fd](80e97fd)) * **docs:** remove ignoreDeprecations in tsconfig.json ([#488](#488)) ([1b4af53](1b4af53)) * **docs:** silence TS5101 baseUrl deprecation in docusaurus tsconfig ([#475](#475)) ([ff9d53f](ff9d53f)) * **release-please:** use client-id instead of deprecated app-id ([#491](#491)) ([aff623c](aff623c)) * **scripts:** align Grype writer/reader naming so security gate fails closed ([#362](#362)) ([#411](#411)) ([64b3db3](64b3db3)) * update stale hashes for checkov and requests in requirements.txt ([#516](#516)) ([fa3c57f](fa3c57f)) * **workflows:** harden CI workflows to fail-fast on lint, security, and doc-gen errors ([#393](#393)) ([4669835](4669835)) ### Documentation * add OpenSSF Scorecard badge to README ([#371](#371)) ([917851b](917851b)) * **adrs:** document .terraform.lock.hcl exclusion rationale ([#505](#505)) ([7c7185b](7c7185b)) * **governance:** add GOVERNANCE.md ([#160](#160)) ([#503](#503)) ([76d1cfe](76d1cfe)) ### Build System * **deps:** bump Rust and Python deps to clear CI security gates ([#444](#444)) ([2c05d82](2c05d82)) ### Miscellaneous Chores * **build:** migrate node toolchain to v24 (closes [#458](#458)) ([#460](#460)) ([7a7648c](7a7648c)) * **build:** pin pip and CI tool installs for Scorecard ([#464](#464)) ([1a57e67](1a57e67)) * **deps:** bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.69.0 to 1.88.5 in /blueprints/full-single-node-cluster/tests ([#364](#364)) ([ca8a5a2](ca8a5a2)) * **deps:** bump github.com/jackc/pgx/v5 from 5.7.1 to 5.9.0 in /blueprints/full-single-node-cluster/tests ([#397](#397)) ([57caa75](57caa75)) * **deps:** bump github.com/microsoft/kiota-http-go from 1.5.4 to 1.5.5 in /blueprints/full-single-node-cluster/tests ([#485](#485)) ([f080a5e](f080a5e)) * **deps:** bump github.com/moby/spdystream from 0.5.0 to 0.5.1 in /blueprints/full-single-node-cluster/tests ([#396](#396)) ([a45f051](a45f051)) * **deps:** bump openssl from 0.10.78 to 0.10.79 in /src/500-application/507-ai-inference/services/ai-edge-inference ([#477](#477)) ([8326a97](8326a97)) * **deps:** bump openssl from 0.10.78 to 0.10.79 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate ([#476](#476)) ([8b7536e](8b7536e)) * **deps:** bump pytest from 9.0.2 to 9.0.3 in /src/500-application/506-ros2-connector/services ([#394](#394)) ([14828e7](14828e7)) * **deps:** bump rand from 0.9.2 to 0.9.4 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate ([#395](#395)) ([3cac305](3cac305)) * **deps:** bump urllib3 from 2.6.3 to 2.7.0 and consolidate dependencies ([#509](#509)) ([40c1ef6](40c1ef6)) * **deps:** consolidate Dependabot updates into one weekly PR per ecosystem ([#410](#410)) ([37de2b4](37de2b4)) * **deps:** remediate Grype/OSSF vulnerabilities ([#451](#451)) ([#450](#450)) ([b5d0753](b5d0753)) * migrate from GitVersion to release-please ([#446](#446)) ([d2ced15](d2ced15)) * **security:** pin remaining unpinned dependencies (OSSF Scorecard) ([#497](#497)) ([39d385a](39d385a)) * **security:** remediate OSSF Scorecard vulnerability advisories ([#502](#502)) ([ba570c4](ba570c4)) * vulnerability remediation ([#409](#409) phases A-G), OSSF hardening, and Docusaurus migration completion ([#408](#408)) ([b6a3f08](b6a3f08)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: edge-ai-release-please[bot] <282732779+edge-ai-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
WilliamBerryiii
added a commit
that referenced
this pull request
May 16, 2026
🤖 I have created a release *beep* *boop* --- ## [4.0.0](v3.0.0...v4.0.0) (2026-05-15) ### ⚠ BREAKING CHANGES * **terraform:** upgrade required_version floor from 1.9.8 to 1.12.0 ([#487](#487)) ### Features * **500-application:** add 514-wasm-msg-to-dss WASM map operator with DSS enrichment pattern ([#356](#356)) ([db882a5](db882a5)) * add tags support to all blueprints and remove deprecated federated identity reference ([#483](#483)) ([c9c8967](c9c8967)) * Add Terraform modules for Azure Kubernetes Service (AKS) and Azure Container Registry (ACR) ([e92f3f7](e92f3f7)) * add unit tests for application services (Rust + Python) ([#372](#372)) ([220ab28](220ab28)) * adopt hve-core PowerShell CI infrastructure ([#312](#312)) ([9745d2b](9745d2b)) * **application:** add WASM operator for Avro-to-JSON transformation ([#212](#212)) ([1e032eb](1e032eb)) * **avro-to-json:** add unit tests for wire format config parsing ([#368](#368)) ([65bc924](65bc924)) * **avro-to-json:** add wireFormat configuration parameter ([#357](#357)) ([e5d1833](e5d1833)) * **bicep:** implement AKS and ACR deployment components ([903cbee](903cbee)) * **blueprints:** update blueprint metadata and add Terraform files ([e075d19](e075d19)) * **build:** add multi-language fuzzing infra (CFLite + Codecov flags) ([#453](#453)) ([7407230](7407230)) * **build:** add root .hadolint.yaml and centralize Dockerfile linting config ([#133](#133)) ([45e0d04](45e0d04)) * **build:** Add Security Scan Results for Edge AI Infrastructure Components - Merged PR 266 ([a5a6b61](a5a6b61)) * **build:** Update azure-pipelines.yml for internal-eng branch: Merged PR 326 ([d8beaa2](d8beaa2)) * **chatmode:** update phase and task stop conditions for user review ([a9fb653](a9fb653)) * **ci:** add docker cleanup to megalinter template ([9cd020a](9cd020a)) * **ci:** enforce rust crate registration in codecov coverage ([#155](#155)) ([#449](#449)) ([9b33d69](9b33d69)) * **ci:** upgrade CodeQL actions and enhance GitHub Pages deployment ([56087d4](56087d4)) * **community:** add community data processing and reporting markdown - Merged PR 239 ([7221d45](7221d45)) * **dependency:** minor fix for the dependency scan for main branch builds ([b1f22bf](b1f22bf)) * **dev:** add markdown table formatter for all folders to package.json - Merged PR 264 ([eef006d](eef006d)) * **docs:** add CODEOWNERS file for repository ownership management ([2d0de94](2d0de94)) * **docs:** enhance dev container and prerequisites and setup instructions in source README ([dd0dd42](dd0dd42)) * **docs:** migrate from Docsify to Docusaurus ([#399](#399)) ([ca06002](ca06002)) * **iot-ops:** upgrade AIO 2604 release (1.3.70), harden schema-registry RBAC ([#471](#471)) ([e772b74](e772b74)) * **mcp:** add terraform-mcp-server ([9797ced](9797ced)) * **networking:** add Terraform and bicep module for Azure virtual network with subnets and NSGs, removed from VM-Host ([35eb221](35eb221)) * **pipeline:** add pre-release stage and update conditions for PR builds ([ace7192](ace7192)) * **pipelines:** add internalGitHub parameter for repository access ([93a7c86](93a7c86)) * **release-please:** implement PAI 1+6 jobs DAG with binary integrity and tag signature verification ([#501](#501)) ([dc58f10](dc58f10)) * **reporting:** add scenario to capability to feature mapping graphic - Merged PR 292 ([7eb24d4](7eb24d4)) * **security-identity:** add security review gate via CODEOWNERS, PR template, and label ([#333](#333)) ([dcb6d57](dcb6d57)) * **settings:** add GitHub HTTP MCP server configuration ([#197](#197)) ([6a70b61](6a70b61)) * **settings:** add initial Jekyll configuration file ([350603d](350603d)) * **settings:** add v8r schema validation configuration ([#219](#219)) ([2e5e261](2e5e261)) * **terraform:** add should_create_aks variable and update AKS module logic ([fb3f0ff](fb3f0ff)) * **terraform:** upgrade required_version floor from 1.9.8 to 1.12.0 ([#487](#487)) ([49229da](49229da)) * **tools:** add .shellcheckrc for ShellCheck configuration ([#124](#124)) ([6441eb9](6441eb9)) ### Bug Fixes * **ai-edge-inference:** bump notify 7 to 8 (partial RUSTSEC-2024-0384) ([#469](#469)) ([f548586](f548586)) * **application:** avro-to-json handle JSON-string-encoded schema and Confluent wire format prefix ([#336](#336)) ([e2ac755](e2ac755)) * **application:** update trigger topics for video capture ([2795b3b](2795b3b)) * **build:** add granular grype-soft-fail for PR validation ([#313](#313)) ([2169b99](2169b99)) * **build:** format markdown tables for MD060 compliance ([#102](#102)) ([2875957](2875957)) * **build:** narrow mega linter diff fetch scope ([f4b07e1](f4b07e1)) * **build:** pin all dependencies for OSSF Scorecard ([#402](#402)) ([79e6971](79e6971)) * **build:** remediate script injection in create-release workflow ([#351](#351)) ([0ffddb7](0ffddb7)) * **build:** resolve all 4 main branch CI lint failures ([#365](#365)) ([f90ad6f](f90ad6f)) * **build:** resolve npm vulnerabilities and merge release 2.0.0 ([#61](#61)) ([349c30e](349c30e)) * **build:** resolve npm vulnerabilities and sidebar generation ([5bb66cd](5bb66cd)) * **build:** the addition of bicep documents check to the GH workflows was missing for PR Validation. ([9e23bf8](9e23bf8)) * **build:** update stale GitHub Action SHAs and npm dependencies ([#103](#103)) ([e0d5731](e0d5731)) * **build:** update working directory for resource provider scripts - noticed an inconsistency since the refactor of the folder names under /src/ ([1ef1f27](1ef1f27)) * **build:** use valid 'rust' cataloger tag for Syft v1.42.3+ ([#423](#423)) ([f168e56](f168e56)) * **deps:** bump openssl to 0.10.79 across remaining Rust services ([#480](#480)) ([14e6f16](14e6f16)) * **docker:** replace awk with cut for hash verification in Dockerfiles and templates ([#493](#493)) ([80e97fd](80e97fd)) * **docs:** blueprint links ([#27](#27)) ([46b51a0](46b51a0)) * **docs:** clean up docs - Merged PR 285 ([1be28fd](1be28fd)) * **docs:** clean up project security plans folder - Merged PR 265 ([19a4489](19a4489)) * **docs:** remove ignoreDeprecations in tsconfig.json ([#488](#488)) ([1b4af53](1b4af53)) * **docs:** silence TS5101 baseUrl deprecation in docusaurus tsconfig ([#475](#475)) ([ff9d53f](ff9d53f)) * **instructions:** use prompt refactor prompt to update csharp instructions ([bff1893](bff1893)) * **iot-ops:** add dependency for azurerm_arc_kubernetes_cluster_extension in instance resource ([aafcfe7](aafcfe7)) * **iot-ops:** change type of should_create_anonymous_broker_listener to bool ([27efdbc](27efdbc)) * **iot-ops:** correct user assigned identity naming format ([71cd557](71cd557)) * **linting:** address linting issues on main branch - Merged PR 231 ([29e0bbf](29e0bbf)) * **mega-linter:** add `permissions > statuses: write` for main.yml GH ([f5374b9](f5374b9)) * **pr-validation:** update job dependencies for matrix changes ([1d858ee](1d858ee)) * **release-please:** use client-id instead of deprecated app-id ([#491](#491)) ([aff623c](aff623c)) * **scripts:** align Grype writer/reader naming so security gate fails closed ([#362](#362)) ([#411](#411)) ([64b3db3](64b3db3)) * **settings:** update kubectl-helm-minikube version to avoid outages ([51384e9](51384e9)) * **settings:** update YAML lint filter regex for templates ([a39adbb](a39adbb)) * **terraform:** correct subnet address prefix in virtual network configuration ([10674fb](10674fb)) * **terraform:** resourceSyncRules fixes in resource definition ([1da54d2](1da54d2)) * update stale hashes for checkov and requests in requirements.txt ([#516](#516)) ([fa3c57f](fa3c57f)) * **workflows:** create git tag for draft releases ([#521](#521)) ([d9ceaf9](d9ceaf9)) * **workflows:** harden CI workflows to fail-fast on lint, security, and doc-gen errors ([#393](#393)) ([4669835](4669835)) ### Documentation * **500-application:** remove duplicate section and pre-release app from README ([8a19340](8a19340)) * add OpenSSF Scorecard badge to README ([#371](#371)) ([917851b](917851b)) * **adrs:** document .terraform.lock.hcl exclusion rationale ([#505](#505)) ([7c7185b](7c7185b)) * **contribute:** replace Azure DevOps references with GitHub equivalents ([#198](#198)) ([9c96219](9c96219)) * **governance:** add GOVERNANCE.md ([#160](#160)) ([#503](#503)) ([76d1cfe](76d1cfe)) * **pr-template:** add regression test checkbox for bug fixes ([#187](#187)) ([bf9af5a](bf9af5a)) * **readme:** add OpenSSF Best Practices badge ([#290](#290)) ([9b119a6](9b119a6)) * regenerate module README files for MD060 table compliance ([45bef8d](45bef8d)) * **security:** add vulnerability response timeline to SECURITY.md ([#193](#193)) ([966cb42](966cb42)) * **testing:** add formal test policy and requirements ([#190](#190)) ([cdd6446](cdd6446)) ### Build System * **build:** add clippy lint configuration and CI integration ([#231](#231)) ([dadeaa9](dadeaa9)) * **build:** add integrity verification for third-party GitHub Actions ([#269](#269)) ([4d68f68](4d68f68)) * **build:** add prettier configuration for JSON formatting ([#217](#217)) ([7766d33](7766d33)) * **build:** replace SLSA attestation with actions/attest ([#332](#332)) ([6ec9952](6ec9952)) * **ci:** replace MegaLinter with per-tool GitHub Actions lint workflows ([#240](#240)) ([022a1a1](022a1a1)) * **deps:** bump Rust and Python deps to clear CI security gates ([#444](#444)) ([2c05d82](2c05d82)) * **deps:** use ga release of the fabric terraform ([b27b9c5](b27b9c5)) * **scripts:** add EditorConfig and enable shfmt in MegaLinter ([#136](#136)) ([2a496d2](2a496d2)) * **scripts:** pin tonistiigi/xx to versioned SHA256 digest ([#260](#260)) ([a14084a](a14084a)) * **security-identity:** add standalone OSSF Scorecard workflow ([#307](#307)) ([51611e8](51611e8)) ### Code Refactoring * **build:** consolidate workflow inputs for GitHub 10-input limit ([#63](#63)) ([2d6500b](2d6500b)) * **terraform:** remove site MQTT endpoint and clean secret-provider-class ([8d3f695](8d3f695)) * **vm-host:** simplify subnet handling in Terraform configuration ([927e0fa](927e0fa)) ### Miscellaneous Chores * **build:** expand dependabot to cover all dependency ecosystems ([#261](#261)) ([04f3b23](04f3b23)) * **build:** migrate node toolchain to v24 (closes [#458](#458)) ([#460](#460)) ([7a7648c](7a7648c)) * **build:** pin pip and CI tool installs for Scorecard ([#464](#464)) ([1a57e67](1a57e67)) * **build:** upgrade tf-docs to v 0.19.0 - Merged PR 232 ([fa75196](fa75196)) * **ci:** Remove redundant PowerShell installation from GitHub Actions workflow ([#86](#86)) ([5918632](5918632)) * **codeowners:** add missing directory paths ([#256](#256)) ([7e8b559](7e8b559)) * **deps-dev:** bump minimatch from 3.1.2 to 3.1.5 in /docs/_server ([#229](#229)) ([24a38d6](24a38d6)) * **deps-dev:** bump rollup from 4.53.3 to 4.59.0 in /docs/_server ([#228](#228)) ([e6c3740](e6c3740)) * **deps-dev:** bump undici from 7.22.0 to 7.24.1 ([#252](#252)) ([6b967ac](6b967ac)) * **deps:** batch security and dependency updates ([#216](#216)) ([d19c605](d19c605)) * **deps:** bump @isaacs/brace-expansion from 5.0.0 to 5.0.1 ([#132](#132)) ([b836cfd](b836cfd)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/501-rust-telemetry/services/receiver ([#184](#184)) ([2534de9](2534de9)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/501-rust-telemetry/services/sender ([#181](#181)) ([5672cb9](5672cb9)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/502-rust-http-connector/services/broker ([#183](#183)) ([695c16d](695c16d)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/503-media-capture-service/services/media-capture-service ([#131](#131)) ([76cad0b](76cad0b)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/504-mqtt-otel-trace-exporter/services/mqtt-otel-trace-exporter ([#138](#138)) ([2cc0c8d](2cc0c8d)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/507-ai-inference/services/ai-edge-inference ([#129](#129)) ([d2a83f5](d2a83f5)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate ([#236](#236)) ([a13417f](a13417f)) * **deps:** bump bytes from 1.10.1 to 1.11.1 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate/tests/no-features-test ([#130](#130)) ([5d4f2ce](5d4f2ce)) * **deps:** bump express from 4.21.2 to 4.22.1 in /docs/_server ([#68](#68)) ([a0e7e0b](a0e7e0b)) * **deps:** bump flask from 3.0.3 to 3.1.3 in /src/500-application/505-akri-rest-http-connector/services/sensor-simulator ([#202](#202)) ([02ad24c](02ad24c)) * **deps:** bump flask from 3.0.3 to 3.1.3 in /src/500-application/506-ros2-connector/services ([#227](#227)) ([97c54ca](97c54ca)) * **deps:** bump flask from 3.1.2 to 3.1.3 in /src/500-application/502-rust-http-connector/services/sensor-simulator/src ([#209](#209)) ([7544fbe](7544fbe)) * **deps:** bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.44.0 to 1.65.0 in /blueprints/full-single-node-cluster/tests ([#363](#363)) ([52e807a](52e807a)) * **deps:** bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.69.0 to 1.88.5 in /blueprints/full-single-node-cluster/tests ([#364](#364)) ([ca8a5a2](ca8a5a2)) * **deps:** bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.69.0 to 1.97.3 in /blueprints/full-single-node-cluster/tests ([#366](#366)) ([5de38e9](5de38e9)) * **deps:** bump github.com/jackc/pgx/v5 from 5.7.1 to 5.9.0 in /blueprints/full-single-node-cluster/tests ([#397](#397)) ([57caa75](57caa75)) * **deps:** bump github.com/microsoft/kiota-http-go from 1.5.4 to 1.5.5 in /blueprints/full-single-node-cluster/tests ([#485](#485)) ([f080a5e](f080a5e)) * **deps:** bump github.com/moby/spdystream from 0.5.0 to 0.5.1 in /blueprints/full-single-node-cluster/tests ([#396](#396)) ([a45f051](a45f051)) * **deps:** bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14 in /blueprints/full-single-node-cluster/tests ([#139](#139)) ([43c6a1b](43c6a1b)) * **deps:** bump github.com/ulikunitz/xz from 0.5.10 to 0.5.14 in /src/900-tools-utilities/904-test-utilities ([#180](#180)) ([3c83f8b](3c83f8b)) * **deps:** bump lodash-es from 4.17.22 to 4.17.23 ([#113](#113)) ([fb12deb](fb12deb)) * **deps:** bump openssl from 0.10.78 to 0.10.79 in /src/500-application/507-ai-inference/services/ai-edge-inference ([#477](#477)) ([8326a97](8326a97)) * **deps:** bump openssl from 0.10.78 to 0.10.79 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate ([#476](#476)) ([8b7536e](8b7536e)) * **deps:** bump pillow from 10.4.0 to 12.1.1 in /src/500-application/506-ros2-connector/services ([#192](#192)) ([6511fa3](6511fa3)) * **deps:** bump pytest from 9.0.2 to 9.0.3 in /src/500-application/506-ros2-connector/services ([#394](#394)) ([14828e7](14828e7)) * **deps:** bump rand from 0.9.2 to 0.9.4 in /src/500-application/507-ai-inference/services/ai-edge-inference-crate ([#395](#395)) ([3cac305](3cac305)) * **deps:** bump requests from 2.32.3 to 2.32.4 in /src/500-application/505-akri-rest-http-connector/services/sensor-simulator ([#64](#64)) ([a5e1735](a5e1735)) * **deps:** bump requests from 2.32.4 to 2.33.0 in /src/500-application/505-akri-rest-http-connector/services/sensor-simulator ([#304](#304)) ([eff3240](eff3240)) * **deps:** bump tar from 7.5.10 to 7.5.11 ([#241](#241)) ([78bc60d](78bc60d)) * **deps:** bump tar from 7.5.3 to 7.5.7 ([#115](#115)) ([31a41a9](31a41a9)) * **deps:** bump tar from 7.5.7 to 7.5.9 ([#200](#200)) ([3d19470](3d19470)) * **deps:** bump tar from 7.5.9 to 7.5.10 ([#230](#230)) ([f785f97](f785f97)) * **deps:** bump urllib3 from 2.6.3 to 2.7.0 and consolidate dependencies ([#509](#509)) ([40c1ef6](40c1ef6)) * **deps:** bump werkzeug from 3.0.6 to 3.1.4 in /src/500-application/506-ros2-connector/services ([#74](#74)) ([c6b4d15](c6b4d15)) * **deps:** bump werkzeug from 3.1.5 to 3.1.6 in /src/500-application/502-rust-http-connector/services/sensor-simulator/src ([#210](#210)) ([6e82c78](6e82c78)) * **deps:** bump werkzeug from 3.1.5 to 3.1.6 in /src/500-application/506-ros2-connector/services ([#203](#203)) ([90ae904](90ae904)) * **deps:** bundle Dependabot security fixes for flatted, cors, and grype config ([#292](#292)) ([bb13625](bb13625)) * **deps:** consolidate 16 dependabot PRs with eslint v10, vitest v4, and cspell v9 ([#297](#297)) ([e6ecdb4](e6ecdb4)) * **deps:** consolidate Dependabot updates into one weekly PR per ecosystem ([#410](#410)) ([37de2b4](37de2b4)) * **deps:** regenerate package-lock.json after merge ([683a29a](683a29a)) * **deps:** remediate Grype/OSSF vulnerabilities ([#451](#451)) ([#450](#450)) ([b5d0753](b5d0753)) * **devcontainer:** pin .NET SDK to 9.0 ([#517](#517)) ([77adefd](77adefd)) * **docs:** clean up localization - Merged PR 233 ([86fd6d0](86fd6d0)) * **docs:** regenerate sidebar for new wasm provider component ([3ad039d](3ad039d)) * integrate changes from main ([da6eaa7](da6eaa7)) * integrate changes from main ([a3d7b1a](a3d7b1a)) * integrate changes from main ([31e850a](31e850a)) * integrate changes from main ([4c2c55f](4c2c55f)) * integrate changes from main ([de2103c](de2103c)) * integrate changes from main ([0b69506](0b69506)) * integrate changes from main ([7f6758f](7f6758f)) * integrate changes from main ([cbf26d8](cbf26d8)) * integrate changes from main ([161e8bc](161e8bc)) * integrate changes from main ([8a4dfeb](8a4dfeb)) * integrate changes from main ([54ecd23](54ecd23)) * integrate changes from main ([8abef9d](8abef9d)) * integrate changes from main ([5e621d0](5e621d0)) * integrate changes from main ([19b27d2](19b27d2)) * integrate changes from main ([498f342](498f342)) * integrate changes from main ([4eac1e9](4eac1e9)) * integrate changes from main ([01baf3a](01baf3a)) * integrate changes from main ([97f0c7f](97f0c7f)) * integrate changes from main ([93f2215](93f2215)) * **main:** release 3.0.0 ([#489](#489)) ([c42703d](c42703d)) * merge github/main into release/2.0.0 ([88365e6](88365e6)) * migrate from GitVersion to release-please ([#446](#446)) ([d2ced15](d2ced15)) * migrate prompt engineering artifacts to hve-core ([#182](#182)) ([718d21c](718d21c)) * resolve merge conflicts from main sync ([c6f6d1d](c6f6d1d)) * **rust:** standardize strip = true across release profiles ([#189](#189)) ([945ea28](945ea28)) * **security:** pin remaining unpinned dependencies (OSSF Scorecard) ([#497](#497)) ([39d385a](39d385a)) * **security:** remediate OSSF Scorecard vulnerability advisories ([#502](#502)) ([ba570c4](ba570c4)) * **shellcheck:** remove redundant SC1091 directives ([#220](#220)) ([d8d3b04](d8d3b04)) * simplify CODEOWNERS to use team-based ownership ([#137](#137)) ([ce8722a](ce8722a)) * **template:** modernize github issue templates to YML format ([#213](#213)) ([2e18b1b](2e18b1b)) * **tools:** add secretlint config ([#128](#128)) ([e3bd668](e3bd668)) * vulnerability remediation ([#409](#409) phases A-G), OSSF hardening, and Docusaurus migration completion ([#408](#408)) ([b6a3f08](b6a3f08)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: edge-ai-release-please[bot] <282732779+edge-ai-release-please[bot]@users.noreply.github.com> Co-authored-by: Bill Berry <wberry@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates pending Rust and Python dependency security updates into a single PR to unblock CI. Every open PR currently fails the same two required checks (Cargo Audit and Security Scan / Grype) due to transitive dependency vulnerabilities. This PR resolves both blockers.
Supersedes: #413, #425, #430, #431, #432, #434, #435, #436, #437, #438, #439, #440, #441, #442, #443
Root Causes & Fixes
rand,openssl, andrustls-webpkiin transitive depscargo updateacross all 14 Rust workspaces bumps to patched versionsopenssl(0.10.73/74/76),rand(0.8.5/0.9.2),rustls-webpki, andlxml(5.3.0)Changes
Rust Cargo.lock updates (14 files, lockfiles only — no
Cargo.tomlchanges)cargo updatePython dependency update (1 service)
src/500-application/510-onvif-connector/services/onvif-camera-simulator/— lxml 5.3.0 → 6.1.0 inrequirements.in(clears GHSA-vfmq-68hx-4jfw);requirements.txtregenerated withuv pip compile --generate-hashesVerification
cargo audit --deny warningspasses on all 14 Rust crates with.github/audit.tomlconfiggrype dir:. --config .grype.yamlreturns exit 0 in a clean checkout (only Medium-severityuuidnpm finding remains, belowfail-on-severity: highthreshold)govulncheck ./...passes on both Go modules (unchanged from main — no Go-related changes in this PR)Cargo.toml, Go module, source code, or behavioral changesKnown Residuals (already suppressed)
rand 0.8.6still appears in Grype scans (advisory fixed-in is 0.9.3). Suppressed in.github/audit.tomlvia RUSTSEC-2026-0097. Blocked on upstreamazure_iot_operations_mqttreleasing withoutrand 0.8.x.rustls-webpki 0.102.8(transitive via AIO SDK's rumqttc fork) suppressed in.grype.yamlvia GHSA-pwjx-qhcg-rvj4.Impact on Other PRs
Once merged, Dependabot will auto-close the 15 superseded PRs when it detects the fixes on
main. The remaining open PRs (#411, #422, #401, #427, #428, #429, #433) will have their two universal CI blockers resolved and can proceed through review.🔒 - Generated by Copilot