Patch cves

[moshemorad]

No description provided.

[github-actions]

✅ Docker image ready for e9fe42a (built in 2m 53s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e9fe42a

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e9fe42a
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e9fe42a me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e9fe42a
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e9fe42a

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e9fe42a

[coderabbitai]

Walkthrough

This pull request updates three dependency versions in pyproject.toml: cryptography (^43.0.1 → ^46.0.5), prometrix (0.2.9 → 0.2.11), and Pillow (^10.3.0 → ^12.1.1). No code logic changes are introduced.

Changes

Cohort / File(s)	Summary
Dependency Version Updates pyproject.toml	Updated cryptography to ^46.0.5, prometrix to 0.2.11, and Pillow to ^12.1.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• [ROB-2886] - urllib cve patches #1981: Previously updated prometrix to 0.2.9; this PR further bumps it to 0.2.11.

Suggested reviewers

• arikalon1
• naomi-robusta

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No description was provided by the author, but the PR objectives indicate this is for patching CVEs which relates to the dependency updates.	Add a description explaining which CVEs are being patched and why the specific dependency versions were chosen.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Patch cves' directly relates to the main change of updating dependencies to address CVE vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ROB-3294-fix-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pyproject.toml (1)

56-59: Align the comment with the actual version constraint for cryptography.

Line 56 says this is “freezing a specific version,” but Line 59 uses ^46.0.5 (range). Either pin exactly (46.0.5) or update the comment to avoid misleading future CVE patching decisions.

Proposed edit

-cryptography = "^46.0.5"
+cryptography = "46.0.5"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pyproject.toml` around lines 56 - 59, The comment above the cryptography
dependency is misleading because it says we're "freezing a specific version" but
the dependency uses a caret range (^46.0.5); update the pyproject.toml so the
comment and spec match: either change the version specifier for the dependency
named "cryptography" to an exact pin "46.0.5" if you intend to freeze, or modify
the comment to clearly state that a range (^46.0.5) is being allowed and why;
ensure the change is applied to the same cryptography entry so future CVE
patching is not confused.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pyproject.toml`:
- Around line 59-62: The lockfile is missing the dev-dependency Pillow ^12.1.1
referenced in pyproject.toml; run poetry lock to regenerate poetry.lock (or
poetry lock --no-update if you only want to resolve missing entries without
upgrading others) so Pillow 12.1.1 is captured, then commit the updated
poetry.lock; ensure the pyproject.toml entry "Pillow = \"^12.1.1\"" remains
unchanged and verify the lockfile lists Pillow 12.1.1 along with cryptography
and prometrix entries.

---

Nitpick comments:
In `@pyproject.toml`:
- Around line 56-59: The comment above the cryptography dependency is misleading
because it says we're "freezing a specific version" but the dependency uses a
caret range (^46.0.5); update the pyproject.toml so the comment and spec match:
either change the version specifier for the dependency named "cryptography" to
an exact pin "46.0.5" if you intend to freeze, or modify the comment to clearly
state that a range (^46.0.5) is being allowed and why; ensure the change is
applied to the same cryptography entry so future CVE patching is not confused.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fc209096-9bc0-488d-9bf0-d48a20d27ce1

📥 Commits

Reviewing files that changed from the base of the PR and between fbdee55 and ffadfb8.

⛔ Files ignored due to path filters (1)

• poetry.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• pyproject.toml