RNS-Things/reticulum-meshchatX
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 8 Wiki Activity

Migrate to Poetry packaging and restructure codebase #21

Merged
Sudo-Ivan merged 23 commits from codebase-improvements into master 2025-12-01 18:24:25 +00:00
Conversation 9 Commits 23 Files Changed 128 +4 -4
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 94d91c4934 - Show all commits

2
poetry.lock generated
View File

@@ -1518,4 +1518,4 @@ propcache = ">=0.2.1"
[metadata]
lock-version = "2.1"
python-versions = ">=3.11"
content-hash = "8ae392a5c674d2f2983f9696c11fa80ac5154b5cf17e8660c10b38f1a2342a02"
content-hash = "dee816aa85ed74bf00c5a27a7744997ac7aaf4ce0c2c9b165a45a43c2be9aaa8"

6
pyproject.toml
View File

1
 @@ -24,12 +24,12 @@ classifiers = [
]
requires-python = ">=3.11"
dependencies = [
"aiohttp>=3.12.14",
"aiohttp>=3.13.2",
"lxmf>=0.9.3",
"peewee>=3.18.1",
"peewee>=3.18.3",
"psutil>=7.1.3",
"rns>=1.0.4",
"websockets>=14.2",
"websockets>=15.0.1",
]
coderabbitai[bot] commented 2025-12-01 06:13:57 +00:00 (Migrated from github.com)
Review
Copy Link

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

aiohttp latest version 2025 security vulnerabilities

💡 Result:

As of Dec 1, 2025 the latest aiohttp release on PyPI is 3.13.2 — upgrade to the latest release. [1]

Notable 2024–2025 security issues you should be aware of

  • CVE-2025-53643 — HTTP request‑smuggling in the pure‑Python parser (affects aiohttp < 3.12.14); patched in 3.12.14. If you run aiohttp without its C extensions or set AIOHTTP_NO_EXTENSIONS, you are affected. [2][3]
  • CVE-2024-30251 — crafted multipart POST can cause an infinite‑loop DoS; fixed in 3.9.4. [4]
  • CVE-2024-27306 — XSS in static file index pages; fixed in 3.9.4 (disable show_index or use a reverse proxy if you can’t upgrade). [5]

Recommendation

  • Upgrade to the latest aiohttp (>= 3.12.14 — ideally 3.13.2). Verify whether your deployment uses the C extensions (if not, the CVE-2025-53643 risk applies) and apply the upgrade in testing before production. [1][2][3]

Sources
[1] PyPI aiohttp release details (v3.13.2).
[2] NVD — CVE‑2025‑53643 (request smuggling).
[3] Ubuntu / GitHub advisory summary for CVE‑2025‑53643.
[4] GHSA / advisory for multipart infinite‑loop DoS (CVE‑2024‑30251).
[5] CVE details / GitHub advisory for XSS in static index pages (CVE‑2024‑27306).

🌐 Web query:

websockets latest version 2025 security vulnerabilities

💡 Result:

Do you mean (pick one):

  1. the WebSocket protocol in general,
  2. a specific library (e.g., Python "websockets", Node "ws", browser implementations), or
  3. WebSocket-related vulnerabilities reported in 2025 across projects?

🌐 Web query:

pypi aiohttp 3.12.14 security advisory

💡 Result:

Summary: aiohttp has a request-smuggling vulnerability (CVE-2025-53643) in its pure‑Python HTTP parser that fails to parse trailer sections. Affects aiohttp < 3.12.14; fixed in 3.12.14. Upgrade to >= 3.12.14 (or ensure C extensions are enabled) to mitigate. (nvd.nist.gov)

Citations:

🌐 Web query:

pypi websockets 14.2 security advisory

💡 Result:

Short answer: there is no project security advisory or CVE specifically for websockets 14.2; the project's 14.2 changelog (Jan 19, 2025) lists features/bug fixes but no security fix. Some vulnerability databases list websockets versions (including 14.x) as affected by older CVEs and recommend upgrading — the current recommended secure release is 15.0.1. [1][2][3]

Sources

  • websockets 14.2 changelog (no security advisory listed). [1]
  • Safety DB package page (flags known vulnerabilities across versions and recommends v15.0.1). [2]
  • PyPI websockets project page / release history. [3]

🌐 Web query:

peewee latest version 2025 security vulnerabilities

💡 Result:

As of Dec 1, 2025 the latest Peewee release is 3.18.3 — upgrade to it to get the newest fixes. [1][2]

Known security issues (most relevant):

  • PVE-2025-81123 — a vulnerability affecting versions <3.18.3 (fixed in 3.18.3). [1]
  • PVE-2024-64952 — a race condition fixed in 3.17.1. [1]
  • PVE-2021-34337 — older cryptography-related issue (fixed in 2.10.0). [1]

Recommendation: upgrade to peewee==3.18.3 and review your dependency tree (vendor/distribution packages may lag). Verify fixed versions in your environment (PyPI/distribution package) before deploying. [1][2]

Sources:
[1] Peewee package security summary (Safety DB).
[2] Fedora package updates showing peewee 3.18.3.

🌐 Web query:

psutil latest version 2025 security vulnerabilities

💡 Result:

Latest psutil release: 7.1.3 (released 2025-11-02). (piwheels.org)

Known/security-relevant issues reported recently:

  • CVE-2019-18874 — double-free / denial-of-service (affects older ≤5.6.5; fixed in 5.6.6). (data.safetycli.com)
  • CVE-2024-12718 — directory-traversal/unsafe extraction issue reported for a packaged python39-psutil (disclosed Jun 3, 2025). (security.snyk.io)
  • CVE-2025-0938 — improper input validation advisory published (disclosed Jan/Feb 2025; vendor/packaging-specific fixes vary). (security.snyk.io)

If you want, I can: (a) check whether your installed psutil version is affected and show mitigation/fix versions, or (b) fetch upstream GitHub / PyPI security/CHANGELOG entries for 7.1.3.

Citations:

🌐 Web query:

lxmf latest version 2025 security vulnerabilities

💡 Result:

Summary (as of Dec 1, 2025)

  • Latest published LXMF release: 0.9.2 (listed by Safety DB as latest). [1]
  • PyPI latest uploaded release I found: 0.7.1 (May 15, 2025). [2]
  • No known security vulnerabilities reported for LXMF in the sources I checked. [1]

Sources

  1. Safety DB package page for lxmf (latest version 0.9.2; no known vulnerabilities). [1]
  2. PyPI lxmf release (v0.7.1, uploaded May 15, 2025). [2]

Would you like me to: (A) check GitHub release tags and commit history directly for 0.9.2 and release dates, or (B) search CVE/NVD and vendor advisories for any additional vulnerability reports?

🌐 Web query:

rns python package latest version 2025 security vulnerabilities

💡 Result:

Latest PyPI release: rns 1.0.4 (uploaded Nov 22–23, 2025). [1]

Known security issues: public vulnerability record shows a race-condition advisory affecting versions < 0.0.8 (fixed in 0.0.8); no other high‑profile CVEs listed for current releases. [2]

Sources:
[1] PyPI rns project page (release files/metadata).
[2] SafetyDB advisory PVE-2023-60402 (rns race-condition; affected <0.0.8, fixed in 0.0.8).

Update dependency versions to address confirmed security vulnerabilities.

  • peewee: Update from 3.18.1 to 3.18.3 to fix PVE-2025-81123 vulnerability.
  • aiohttp: Update from 3.12.14 to 3.13.2 to reach the latest stable release. Note: The current minimum version (3.12.14) includes the CVE-2025-53643 fix but leaves CVE-2024-30251 and CVE-2024-27306 unpatched if the C extensions are not enabled.
  • websockets: Consider updating from 14.2 to 15.0.1 (latest recommended secure release).
🤖 Prompt for AI Agents 
In pyproject.toml around lines 26 to 33, the pinned dependency versions include
known vulnerabilities; update peewee from 3.18.1 to 3.18.3, bump aiohttp from
3.12.14 to 3.13.2, and upgrade websockets from 14.2 to 15.0.1 in the
dependencies array so the file reflects the secure, recommended releases; ensure
the version strings match the existing format and run dependency resolution /
tests after updating.

Addressed in commits ac839df to c98131f

_⚠️ Potential issue_ | _🟠 Major_ <details> <summary>🧩 Analysis chain</summary> 🌐 Web query: `aiohttp latest version 2025 security vulnerabilities` 💡 Result: As of Dec 1, 2025 the latest aiohttp release on PyPI is 3.13.2 — upgrade to the latest release. [1] Notable 2024–2025 security issues you should be aware of - CVE-2025-53643 — HTTP request‑smuggling in the pure‑Python parser (affects aiohttp < 3.12.14); patched in 3.12.14. If you run aiohttp without its C extensions or set AIOHTTP_NO_EXTENSIONS, you are affected. [2][3] - CVE-2024-30251 — crafted multipart POST can cause an infinite‑loop DoS; fixed in 3.9.4. [4] - CVE-2024-27306 — XSS in static file index pages; fixed in 3.9.4 (disable show_index or use a reverse proxy if you can’t upgrade). [5] Recommendation - Upgrade to the latest aiohttp (>= 3.12.14 — ideally 3.13.2). Verify whether your deployment uses the C extensions (if not, the CVE-2025-53643 risk applies) and apply the upgrade in testing before production. [1][2][3] Sources [1] PyPI aiohttp release details (v3.13.2). [2] NVD — CVE‑2025‑53643 (request smuggling). [3] Ubuntu / GitHub advisory summary for CVE‑2025‑53643. [4] GHSA / advisory for multipart infinite‑loop DoS (CVE‑2024‑30251). [5] CVE details / GitHub advisory for XSS in static index pages (CVE‑2024‑27306). --- 🌐 Web query: `websockets latest version 2025 security vulnerabilities` 💡 Result: Do you mean (pick one): 1) the WebSocket protocol in general, 2) a specific library (e.g., Python "websockets", Node "ws", browser implementations), or 3) WebSocket-related vulnerabilities reported in 2025 across projects? --- 🌐 Web query: `pypi aiohttp 3.12.14 security advisory` 💡 Result: Summary: aiohttp has a request-smuggling vulnerability (CVE-2025-53643) in its pure‑Python HTTP parser that fails to parse trailer sections. Affects aiohttp < 3.12.14; fixed in 3.12.14. Upgrade to >= 3.12.14 (or ensure C extensions are enabled) to mitigate. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2025-53643?utm_source=openai)) Citations: - 1: https://nvd.nist.gov/vuln/detail/CVE-2025-53643?utm_source=openai --- 🌐 Web query: `pypi websockets 14.2 security advisory` 💡 Result: Short answer: there is no project security advisory or CVE specifically for websockets 14.2; the project's 14.2 changelog (Jan 19, 2025) lists features/bug fixes but no security fix. Some vulnerability databases list websockets versions (including 14.x) as affected by older CVEs and recommend upgrading — the current recommended secure release is 15.0.1. [1][2][3] Sources - websockets 14.2 changelog (no security advisory listed). [1] - Safety DB package page (flags known vulnerabilities across versions and recommends v15.0.1). [2] - PyPI websockets project page / release history. [3] --- 🌐 Web query: `peewee latest version 2025 security vulnerabilities` 💡 Result: As of Dec 1, 2025 the latest Peewee release is 3.18.3 — upgrade to it to get the newest fixes. [1][2] Known security issues (most relevant): - PVE-2025-81123 — a vulnerability affecting versions <3.18.3 (fixed in 3.18.3). [1] - PVE-2024-64952 — a race condition fixed in 3.17.1. [1] - PVE-2021-34337 — older cryptography-related issue (fixed in 2.10.0). [1] Recommendation: upgrade to peewee==3.18.3 and review your dependency tree (vendor/distribution packages may lag). Verify fixed versions in your environment (PyPI/distribution package) before deploying. [1][2] Sources: [1] Peewee package security summary (Safety DB). [2] Fedora package updates showing peewee 3.18.3. --- 🌐 Web query: `psutil latest version 2025 security vulnerabilities` 💡 Result: Latest psutil release: 7.1.3 (released 2025-11-02). ([piwheels.org](https://www.piwheels.org/project/psutil/?utm_source=openai)) Known/security-relevant issues reported recently: - CVE-2019-18874 — double-free / denial-of-service (affects older ≤5.6.5; fixed in 5.6.6). ([data.safetycli.com](https://data.safetycli.com/vulnerabilities/CVE-2019-18874/37765/?utm_source=openai)) - CVE-2024-12718 — directory-traversal/unsafe extraction issue reported for a packaged python39-psutil (disclosed Jun 3, 2025). ([security.snyk.io](https://security.snyk.io/vuln/SNYK-CENTOS8-PYTHON39PSUTIL-10414152?utm_source=openai)) - CVE-2025-0938 — improper input validation advisory published (disclosed Jan/Feb 2025; vendor/packaging-specific fixes vary). ([security.snyk.io](https://security.snyk.io/vuln/SNYK-CENTOS8-PYTHONPSUTIL-8812913?utm_source=openai)) If you want, I can: (a) check whether your installed psutil version is affected and show mitigation/fix versions, or (b) fetch upstream GitHub / PyPI security/CHANGELOG entries for 7.1.3. Citations: - 1: https://www.piwheels.org/project/psutil/?utm_source=openai - 2: https://data.safetycli.com/vulnerabilities/CVE-2019-18874/37765/?utm_source=openai - 3: https://security.snyk.io/vuln/SNYK-CENTOS8-PYTHON39PSUTIL-10414152?utm_source=openai - 4: https://security.snyk.io/vuln/SNYK-CENTOS8-PYTHONPSUTIL-8812913?utm_source=openai --- 🌐 Web query: `lxmf latest version 2025 security vulnerabilities` 💡 Result: Summary (as of Dec 1, 2025) - Latest published LXMF release: 0.9.2 (listed by Safety DB as latest). [1] - PyPI latest uploaded release I found: 0.7.1 (May 15, 2025). [2] - No known security vulnerabilities reported for LXMF in the sources I checked. [1] Sources 1. Safety DB package page for lxmf (latest version 0.9.2; no known vulnerabilities). [1] 2. PyPI lxmf release (v0.7.1, uploaded May 15, 2025). [2] Would you like me to: (A) check GitHub release tags and commit history directly for 0.9.2 and release dates, or (B) search CVE/NVD and vendor advisories for any additional vulnerability reports? --- 🌐 Web query: `rns python package latest version 2025 security vulnerabilities` 💡 Result: Latest PyPI release: rns 1.0.4 (uploaded Nov 22–23, 2025). [1] Known security issues: public vulnerability record shows a race-condition advisory affecting versions < 0.0.8 (fixed in 0.0.8); no other high‑profile CVEs listed for current releases. [2] Sources: [1] PyPI rns project page (release files/metadata). [2] SafetyDB advisory PVE-2023-60402 (rns race-condition; affected <0.0.8, fixed in 0.0.8). --- </details> **Update dependency versions to address confirmed security vulnerabilities.** - **peewee**: Update from `3.18.1` to `3.18.3` to fix PVE-2025-81123 vulnerability. - **aiohttp**: Update from `3.12.14` to `3.13.2` to reach the latest stable release. Note: The current minimum version (3.12.14) includes the CVE-2025-53643 fix but leaves CVE-2024-30251 and CVE-2024-27306 unpatched if the C extensions are not enabled. - **websockets**: Consider updating from `14.2` to `15.0.1` (latest recommended secure release). <details> <summary>🤖 Prompt for AI Agents</summary> ``` In pyproject.toml around lines 26 to 33, the pinned dependency versions include known vulnerabilities; update peewee from 3.18.1 to 3.18.3, bump aiohttp from 3.12.14 to 3.13.2, and upgrade websockets from 14.2 to 15.0.1 in the dependencies array so the file reflects the secure, recommended releases; ensure the version strings match the existing format and run dependency resolution / tests after updating. ``` </details> <!-- This is an auto-generated comment by CodeRabbit --> ✅ Addressed in commits ac839df to c98131f
[project.scripts]