Skip to content

fix(security): suppress uv-missing-dependency-cooldown on agent/pyproject.toml (#532)#539

Merged
krokoko merged 4 commits into
mainfrom
fix/532-uv-dependency-cooldown
Jul 10, 2026
Merged

fix(security): suppress uv-missing-dependency-cooldown on agent/pyproject.toml (#532)#539
krokoko merged 4 commits into
mainfrom
fix/532-uv-dependency-cooldown

Conversation

@mandeep408

Copy link
Copy Markdown
Contributor

What

Suppress the semgrep uv-missing-dependency-cooldown finding on agent/pyproject.toml via a justified nosemgrep, rather than adding a global exclude-newer cooldown.

Fixes #532.

Why not the originally-proposed exclude-newer = "7 days"

Verified that a global relative cooldown is structurally incompatible with this repo's exact == pins: several pins (fastapi, bedrock-agentcore, boto3) are to versions published inside any reasonable window, so exclude-newer makes uv lock/uv sync unsatisfiable and re-breaks on every fresh pin bump. Full analysis and the maintainer's approval reversal are in the issue thread — decision was Option B (justified nosemgrep).

The rule's threat model (surprise malicious/unstable version) is already covered by exact pins + committed uv.lock + reviewed upgrade-main PRs + uv sync --frozen in the image, so a global cooldown would be redundant and would fight the pinning workflow.

Change

One justified nosemgrep on the line preceding [tool.uv] in agent/pyproject.toml (+8 lines, comment + directive). Scope: agent/pyproject.toml only.

Verification (local, on this branch rebased atop merged #537)

Notes / follow-ups (separate, per maintainer)

  • Pin Semgrep / rule packs — root cause of this surfacing (semgrep = "latest" + --config auto).
  • Evaluate uv sync --frozen in the CI install task — ADR-009 / 2P track.
  • Separately observed: security:sast:masking fails on main (pre-existing, in cli/src/commands/jira.ts, linear.ts, cdk/src/handlers/shared/jira-feedback.ts) — unrelated to this PR; worth its own issue.

Co-Authored-By: Claude noreply@anthropic.com

…ject.toml (#532)

semgrep's uv-missing-dependency-cooldown rule wants a global exclude-newer
cooldown under [tool.uv]. Setting one is structurally incompatible with this
repo: deps are exact-pinned (==) and several pins (fastapi, bedrock-agentcore,
boto3) are to versions published within any reasonable cooldown window, so a
global exclude-newer makes `uv lock`/`uv sync` unsatisfiable and re-breaks on
every fresh pin bump.

The rule's threat model (surprise malicious/unstable version) is already
covered by exact pins + committed uv.lock + reviewed upgrade-main PRs +
uv sync --frozen in the image. Suppress with a justified nosemgrep on the line
preceding [tool.uv] rather than adding a redundant, workflow-breaking cooldown.

Approach approved by maintainer (Option B) in #532.

Verified: `mise run security:sast` -> 0 findings; `uv sync --all-groups` and
`uv lock --check` both resolve.

Fixes #532
Co-Authored-By: Claude <noreply@anthropic.com>
@mandeep408 mandeep408 requested review from a team as code owners July 7, 2026 22:00
@mandeep408 mandeep408 self-assigned this Jul 8, 2026
@mandeep408 mandeep408 added the approved When an issue has been approved and ready label Jul 8, 2026
@krokoko krokoko added this pull request to the merge queue Jul 10, 2026
Merged via the queue into main with commit b16f062 Jul 10, 2026
8 checks passed
@krokoko krokoko deleted the fix/532-uv-dependency-cooldown branch July 10, 2026 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved When an issue has been approved and ready

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(security): semgrep uv-missing-dependency-cooldown on agent/pyproject.toml (masked behind #530)

3 participants