ROB-429 CVEminator 🤖 2026-06-23

[RoiGlinik]

Next Steps

After merge, build and release a new image:

# us-central1-docker.pkg.dev/genuine-flight-317411/devel/robusta-runner — list tags by date, bump latest.
# Use ./build_and_test.sh / Skaffold to deploy the rebuilt image with CVE fixes.

Changes

File	Change	CVE
pyproject.toml	requests = "^2.32.3" → requests = "^2.33.0"	CVE-2026-25645
pyproject.toml	+ filelock = ">=3.20.3" (new explicit pin, transitive via virtualenv)	CVE-2026-22701
pyproject.toml	+ virtualenv = "^20.36.1" (new explicit pin, transitive via pre-commit)	CVE-2026-22702
poetry.lock	requests 2.32.5→2.34.2, filelock 3.20.1→3.29.4, virtualenv 20.35.4→20.39.1	all three

Caret kept on virtualenv (^20.36.1) to stay inside the 20.x line that pre-commit is known to work with — 21.x is a major bump and brought no extra CVE coverage we need.

Refs:

• https://github.com/robusta-dev/robusta/security/dependabot/108 (requests)
• https://github.com/robusta-dev/robusta/security/dependabot/94 (filelock)
• https://github.com/robusta-dev/robusta/security/dependabot/93 (virtualenv)

Test plan

• docker build -t robusta-cve-test -f Dockerfile . — builds clean.
• docker run --rm --entrypoint python3 robusta-cve-test -c "import requests, filelock, virtualenv; print(requests.__version__, filelock.__version__, virtualenv.__version__)" →
  • requests 2.34.2 (≥ 2.33.0 ✓)
  • filelock 3.29.4 (≥ 3.20.3 ✓)
  • virtualenv 20.39.1 (≥ 20.36.1 ✓)
• docker run --rm --entrypoint python3 robusta-cve-test -c "from robusta.runner import main" → imports OK (kube-config warning expected outside cluster).

Human in the loop

1. New explicit pins for filelock and virtualenv (rows 2 and 3 of the changes table). They were transitive before; pinning them in pyproject.toml is the minimum-blast-radius way to force the resolver to pick the fix versions without touching pre-commit itself. Worth a quick sanity check that this matches the convention you want for transitive CVE fixes (the existing pyasn1 / h2 comments already follow the same pattern).
2. virtualenv is constrained to the 20.x line (^20.36.1); 21.x is a fresh major and pre-commit 2.x had no reason to require it. If you'd rather track 21.x for other reasons, switch to >=20.36.1 and re-lock.

🤖 Generated with Claude Code

[github-actions]

✅ Docker image ready for 91312a8 (built in 3m 4s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:91312a8

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:91312a8
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:91312a8 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:91312a8
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:91312a8

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:91312a8

[coderabbitai]

Walkthrough

Three dependency constraints in pyproject.toml are updated for CVE remediation: requests is bumped from ^2.32.3 to ^2.33.0, and two new minimum-version pins are added — filelock >= 3.20.3 and virtualenv ^20.36.1 — each annotated with CVE-related comments.

Changes

Security dependency updates

Layer / File(s)	Summary
CVE-driven dependency version pins pyproject.toml	requests raised to ^2.33.0; filelock pinned to >=3.20.3 and virtualenv to ^20.36.1, each with CVE-related inline comments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'ROB-429 CVEminator 🤖 2026-06-23' is partially related to the changeset but lacks clarity about the core changes; it references a ticket/task with a vague descriptor and emoji rather than summarizing the main change (CVE dependency updates).	Consider a more descriptive title such as 'Fix CVEs in requests, filelock, and virtualenv dependencies' or 'ROB-429: Update dependencies to address CVE-2026-25645, CVE-2026-22701, and CVE-2026-22702'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is well-structured and directly related to the changeset, providing detailed information about CVE fixes, version updates, testing verification, and post-merge steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ROB-429-cveminator-2026-06-23

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

🧹 Nitpick comments (1)

pyproject.toml (1)

85-85: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Bound filelock to a compatible major range.

Line 85 uses >=3.20.3 with no upper bound, which can pull incompatible future major versions and make dependency resolution less predictable. Prefer a bounded range (^3.20.3 or >=3.20.3,<4).

Suggested change

-filelock = ">=3.20.3"
+filelock = "^3.20.3"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pyproject.toml` at line 85, The filelock dependency at line 85 in
pyproject.toml uses an unbounded constraint (>=3.20.3) which can pull
incompatible future major versions. Change the filelock version specification to
include an upper bound by using either the caret syntax ^3.20.3 (which restricts
to the 3.x series) or the explicit range >=3.20.3,<4 to ensure dependency
resolution remains predictable and compatible with the codebase.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pyproject.toml`:
- Line 85: The filelock dependency at line 85 in pyproject.toml uses an
unbounded constraint (>=3.20.3) which can pull incompatible future major
versions. Change the filelock version specification to include an upper bound by
using either the caret syntax ^3.20.3 (which restricts to the 3.x series) or the
explicit range >=3.20.3,<4 to ensure dependency resolution remains predictable
and compatible with the codebase.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c78c1b51-7477-4aad-83ed-a0971ad58128

📥 Commits

Reviewing files that changed from the base of the PR and between 7f40b28 and a5ae346.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml